10341000x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69DB-6092-A004-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-69DB-6092-A004-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.936{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69DB-6092-A004-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.937{04D9AEC0-69DB-6092-A004-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:11.233{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09561877F0D4AE9DAA276EA706FF7623,SHA256=69ADC7773F14C74D0F7B047F5116B9BFD4EBBBE0FFF0B24A11328D547D6E91CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.968{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860A68E1DC21BD947AB0B410A4C9F9D3,SHA256=833D42DE708D2C4F75F9FDB4587BCB07C45A23597881478984E32777181D26DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.968{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD2E9480FAD1E14C29CA65BF47325E96,SHA256=698AA835B4856664EB70DFADA5C00485771E26DAA833454C05B8BBC4ACCB8B8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:10.912{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69DC-6092-A104-00000000BC01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-69DC-6092-A104-00000000BC01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.436{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69DC-6092-A104-00000000BC01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.438{04D9AEC0-69DC-6092-A104-00000000BC01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.249{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2855C2A01BCD76B8DBABE0B603E72D1B,SHA256=26C4955A8C3FDF9C8F5A8F68CDB89F98671759E1ED61B317262D29502C3E656E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:12.077{04D9AEC0-69DB-6092-A004-00000000BC01}1020220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.280{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F85C318AF224C5C785165F3CD7532AA,SHA256=F09D6AAEF495F330FD6BA7097584141F6EFC387A81AA71B774A079261001F034,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69DD-6092-A204-00000000BC01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-69DD-6092-A204-00000000BC01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.061{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69DD-6092-A204-00000000BC01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:13.063{04D9AEC0-69DD-6092-A204-00000000BC01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000057868Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:13.145{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.624{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.296{04D9AEC0-69DE-6092-A304-00000000BC01}3732956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.296{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452DA1A365377A8FF601623D6CB395DC,SHA256=FAD700595CA9451A10A19A444A1CF04440ECDBA3446DE0F226DF0C7C732AEBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69DE-6092-A304-00000000BC01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-69DE-6092-A304-00000000BC01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.171{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69DE-6092-A304-00000000BC01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.172{04D9AEC0-69DE-6092-A304-00000000BC01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.077{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860A68E1DC21BD947AB0B410A4C9F9D3,SHA256=833D42DE708D2C4F75F9FDB4587BCB07C45A23597881478984E32777181D26DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:14.396{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.483{04D9AEC0-69DF-6092-A404-00000000BC01}32121532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69DF-6092-A404-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-69DF-6092-A404-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69DF-6092-A404-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.343{04D9AEC0-69DF-6092-A404-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.327{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B665215992982D8B546C172C0118CC,SHA256=BB14E4435427EA50F18B1E22165256977A248004DC009D7C385F258C5779B00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.186{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C93F251D1D5D22C7F7C047B86D68033,SHA256=CF4234306D9A4163B987970BF8F377DD3CB031C7548A1648E433BF5FA7CBCF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.780{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FC62F152718483B525991F93793332,SHA256=D586F6C74EFCCC4892210A1B4EF1A934F87587761FFF027F383F470DE0F601D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69E0-6092-A604-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-69E0-6092-A604-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.686{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69E0-6092-A604-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.687{04D9AEC0-69E0-6092-A604-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.358{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C98B26F950D701018052D6571CE870E,SHA256=0F461920802664E713FE68C7E28AD09C44202D3686F4DF1BA3E26D1C6CB564B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.155{04D9AEC0-69E0-6092-A504-00000000BC01}14241244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-69E0-6092-A504-00000000BC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-69E0-6092-A504-00000000BC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-69E0-6092-A504-00000000BC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:16.015{04D9AEC0-69E0-6092-A504-00000000BC01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:15.943{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:17.796{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AB25DB89B8A5DD3B5203CE5ED3E8A01,SHA256=86F19A5AABFCC3B0B63533D0B89FFF3D6C416279AE5ACE3CE79307081398427E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:17.702{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D555417B3F5E3863340F12FA7090572D,SHA256=FE117359821450223538ACD6A74AD7375F760D18D3B020179B143140CC875127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:18.718{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D6F30C3574CA0D627410492CB6C43,SHA256=5F6AA85E927D9795FD98DAEA419D4E4AD0386CE53F28E0C1FB1905DB87BC6219,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057869Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:18.145{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:19.749{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF218267F0777E8E6263FF6956F5107E,SHA256=42AE58E3412F1587DAB23BD1AEAC0580434333298CD3CA3C090CCDBAE4829908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057897Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057896Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057895Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057894Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057893Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057892Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057891Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057890Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057889Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057888Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057887Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057886Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057885Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057884Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057883Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057882Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057881Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057880Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057879Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057878Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057877Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057876Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057875Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057874Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057873Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057872Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057871Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057870Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:20.669{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:20.764{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747ABB096720DCD89FF5945E1ECD0A28,SHA256=5E8A7343FD444D584F406120E50ABF7F2EF0CD0749076B6F7638228C742EE0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:21.780{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7964AB5E22096CB43A34930660B915FA,SHA256=6CFBB151BE54E05C58993FB23BD217FCF4312E8AF6A98B5910E1B1F529CC9C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:22.843{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE97873519232338B9F9EDE135862ADF,SHA256=8A1BD0E0FF79E86FED733F2607F07AD5441FA410D3A3214A64CC0C4EBE5BCDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:23.952{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADA821FE43C3B759A2EA1F3EEDAF61,SHA256=9DAA04C307BA8890FF7E8F6D95841801A68DF2B4276D1F236C2AD2BBDCD53DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:21.005{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:24.983{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF68CEF87D8E9F8E3A6923537A6AF7E,SHA256=10D37EE96B0B29BBB9D54F9E55A48FCFF60B17EB47C32EE8DEBBC9889AF80325,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057898Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:23.223{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:25.921{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0779CE7805F9134C1C119ABB5D5A3C8E,SHA256=5781F32E34ADA4BC6B1A0A763C832083A501747E9D12F8D99ECEC99ECA452199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057900Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:26.716{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63E94D99654CEBD5EFB914F9FC2F13D,SHA256=FA1D26168FC406DAA03AA912CB0458C158577CD339F9079B7F6D29B52D841B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057899Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:26.716{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADFD65B50B05DE4AACC27DE176265F4E,SHA256=233343B9A803EB4AD42147F12EC30BE0E78AEAD274625933A92216390ACE0B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:26.030{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D88C4E03DAF5ED336323F1B3D4359FA,SHA256=7BE9C1C6E0832BC6E3700313419E5906A7F395727618B6E43A38FEE19A1CA1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:27.046{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F0B757BE6A1E1F6C28E4E20B1FAC4E,SHA256=B9EEC1812E25A54F5754FBC694E00697B9D082DB61A4457B892078C054A6DDEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057902Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:25.661{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local63930-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000057901Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:25.661{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local63930-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:27.036{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:28.061{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32806C1F7012E4041360CF677BE9DA7C,SHA256=F82946B82F0AAC5453B3661691B459C39C8187BF4D761E5CA9AC9652BAFE0A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:29.077{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF0E4E5BF90E598B4D0110DC71C11E1,SHA256=77E3D5221B2988017BF0457ED1D1028D40FE361733737AE7D3960F7A0FD41BAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057903Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:29.192{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:30.092{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD45AB56438564C9F08C860582D10AA8,SHA256=F77E072990C8BCBA6D25E0D1C27B49DDEC7712F215728370EA3C8ABAC200E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:31.108{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA266BB3629727D09F312E8BBDFBA298,SHA256=A739055E780E27ED1091771A2A2FE49DF66DDE2894C6B4C42A052E8006089D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:32.124{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A260608811EED9BFBCFF3EA6922FE3B,SHA256=850D4435985C715AEA7C835B2E8ADC22F7F03793E5A2995C963A255E45BA4AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:33.139{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D2B494FB4DDB011F83AD61D681C941,SHA256=CB2707699C54486A209CC465964A45DA236BA7B2FF65C4B10D102E263391B60F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057919Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F2-6092-B608-00000000BA01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057918Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057917Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057916Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057915Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057914Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-69F2-6092-B608-00000000BA01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057913Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F2-6092-B608-00000000BA01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057912Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.904{B13AE1A5-69F2-6092-B608-00000000BA01}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000057911Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F2-6092-B508-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057910Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057909Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057908Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057907Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057906Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-69F2-6092-B508-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057905Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.232{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F2-6092-B508-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057904Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:34.233{B13AE1A5-69F2-6092-B508-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:34.155{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A885139581A59C564C1BDAC678D5C7,SHA256=08910C7487BEA9BE9FF76F96E1D92A945F0877BA4AF513E94CDE51AC8A76074E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057930Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.716{B13AE1A5-69F3-6092-B708-00000000BA01}60766072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057929Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F3-6092-B708-00000000BA01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057928Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057927Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057926Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057925Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057924Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-69F3-6092-B708-00000000BA01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057923Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F3-6092-B708-00000000BA01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057922Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.576{B13AE1A5-69F3-6092-B708-00000000BA01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000057921Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.263{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18CF2F80F447720FFE0AB5A51556C44B,SHA256=A8FC18818D2082042308A88303163958078067F9AED23E55F29BF173A1EF57CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057920Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.263{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63E94D99654CEBD5EFB914F9FC2F13D,SHA256=FA1D26168FC406DAA03AA912CB0458C158577CD339F9079B7F6D29B52D841B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:35.170{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CD9F019C212FA86B4899FA1536D904,SHA256=39FE472ECD88C68F04E8542FD084DABE8573FF54BB9474F9575DCE0FC78DD105,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:32.817{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000057940Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.716{B13AE1A5-69F4-6092-B808-00000000BA01}4320868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057939Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.607{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18CF2F80F447720FFE0AB5A51556C44B,SHA256=A8FC18818D2082042308A88303163958078067F9AED23E55F29BF173A1EF57CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057938Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F4-6092-B808-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057937Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057936Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057935Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057934Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057933Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-69F4-6092-B808-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057932Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F4-6092-B808-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057931Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:36.576{B13AE1A5-69F4-6092-B808-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:36.170{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D345F141F32C06ECA8AD4E3FEDE938,SHA256=97F9DB976FA98F365FCA03A5F127F9A10F1E4FC305CC313AABFABD3078730921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057958Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F5-6092-BA08-00000000BA01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057957Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057956Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057955Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057954Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057953Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-69F5-6092-BA08-00000000BA01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057952Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.919{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F5-6092-BA08-00000000BA01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057951Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.920{B13AE1A5-69F5-6092-BA08-00000000BA01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000057950Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.404{B13AE1A5-69F5-6092-B908-00000000BA01}31486396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057949Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F5-6092-B908-00000000BA01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057948Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057947Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057946Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057945Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057944Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-69F5-6092-B908-00000000BA01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057943Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.247{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F5-6092-B908-00000000BA01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057942Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:37.248{B13AE1A5-69F5-6092-B908-00000000BA01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000057941Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:35.192{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:37.186{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2FEA6F91B61540606DD5AECD90FC12,SHA256=3C7FC8D655833E8777E7503F7D2213EB415F22BBF625D658F611A816B0A9A0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057960Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:38.263{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0E5CB8844863FC20116710F97E1B71,SHA256=44D3660366892B1D4B68AE32F1C4FDC50B1D07A39CFDF433A26A624E23BE82EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057959Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:38.060{B13AE1A5-69F5-6092-BA08-00000000BA01}44883860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:38.202{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84402985250DCFDBBD6FFEF9AFAD7736,SHA256=A60B06A43F4AF84176D1A5C6AB77648DC15128BFE69FA61AFD6F4F07A9334D05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057968Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-69F7-6092-BB08-00000000BA01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057967Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057966Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057965Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057964Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057963Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-69F7-6092-BB08-00000000BA01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057962Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.872{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-69F7-6092-BB08-00000000BA01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057961Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:39.873{B13AE1A5-69F7-6092-BB08-00000000BA01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:37.864{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:39.217{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362E88A36894FB8111F8AFC59F917B35,SHA256=436F2ABDF0A6C4FB94F5E7F46A1A1C9F4B27962FE9AD76C0FCA629E71A82712E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057969Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:40.919{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAEA30B16BF6E9F0FAEDC209962BD66B,SHA256=F7EF87CAEB3394D16F9491591910FA3F91DE0B893A74C46F71351B68A0185CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:40.280{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE744607825BC750632B6835BBDE2C,SHA256=8074B3E930348FD46D45A6495CF170F3A0FB4478A16D6294FA13758B9CDDBFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:41.326{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4FD6FBF499DBF9DFD1E11922F5E65F,SHA256=97EB50864A1EA3B7A1311B0662A2C83F61212CF65E8B1472330621E3FCC9FF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:42.373{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358222F3180307786F3CA71BC1044AD9,SHA256=B9CA20A0C044A70A4120DCB02CC6AC9BD7219C69EBCA1AF94BCB0B4C08A9D1D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057970Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:41.020{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:43.451{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B31B3AB2B1BDB86D4FA9DCD56C59FB4,SHA256=DA70E62EE6856ECE5D8E3BD06A773AFD40668E2F06DED245D02A157218AC9931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:44.451{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99253F1FC78AB67E0CC770CB0BD56C0,SHA256=ECC06577819972C89149ED053DA8FCD3956222B0782893A61967797552452A75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:43.895{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51504-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:45.498{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD7BD96FF7283DDFE9BB2769569E2CC,SHA256=029C733ED5D8FDC397D8A0903BE4AC82A37A5ED15DC15A0A3F59F58F231E94BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057971Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:44.491{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse162.142.125.37scanner-04.ch1.censys-scanner.com36548-false10.0.1.14win-dc-763.attackrange.local5985- 23542300x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:46.561{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CD84FE5E72A813F6AB6D1C1C0CFCBE,SHA256=494EAF1DB8671D8605C683599F8CF63F481683FF95C7AEDC8C381B92DA734012,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057973Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:45.793{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse162.142.125.37scanner-04.ch1.censys-scanner.com48120-false10.0.1.14win-dc-763.attackrange.local5985- 354300x800000000000000057972Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:45.598{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse162.142.125.37scanner-04.ch1.censys-scanner.com41094-false10.0.1.14win-dc-763.attackrange.local5985- 23542300x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:47.623{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1586AA7B8913DD308849327F0EC19145,SHA256=1866AA260C2A1892415031A0100988EA977A3AA224A14CBCDB8E4BE227A06621,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057976Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:47.004{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000057975Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:46.991{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse162.142.125.37scanner-04.ch1.censys-scanner.com54770-false10.0.1.14win-dc-763.attackrange.local5985- 354300x800000000000000057974Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:46.145{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54030- 23542300x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:48.670{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99460D37DBC35EB76EB20FE6DFA433B1,SHA256=E13010352DDA163AB901D12D64AEE885E483A64E8683372455DD9C40F73A11CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057977Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:49.669{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:49.686{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F789E6DD1D25FBD0CC213D2FACB18D2F,SHA256=6072DFCD5CEC2EF96638A1AAB56C959398C2367545356F69F7DC6FF657389CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:50.717{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D32166BFA7BD062E90AF10474FCC9DD,SHA256=6EEC6B64B62E85B99DAC41D7481F7E14C212A1DDBBD23D537B7FAE9709A7DF8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057978Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:49.629{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:51.826{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB01CE3E4D558BAB786582660F98173,SHA256=DC767414D9914E21B2DEFBE061C249C97AF9CD627229B5D71B6FC5F761480F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:52.920{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0F26D1ECD2C9341991F55BDCEBE3B0,SHA256=CAB94DF8AD5630259094EE1D5DB1385A142BC8C8B22838EB4B72904C80C2425D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:49.926{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51505-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000057979Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:52.223{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:54.029{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE200FCD5DD3F86E6B1B4BF57B57A4E,SHA256=7DDF81BA3D61885BD2D878DFF86154F0DD3FD4EC9462A0130A00D62A2661F05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:55.045{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A2DE72E0963B11003DC05B5408F955,SHA256=4B8796F2977939389D9FEF221B2FFF04976AA4C018CF0B7F752900D7E02CBE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057980Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:56.529{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B379FCBEEDF6EEF916EB51AF02C60CBB,SHA256=2ECB45813358E547D287AE27B638A7FA8B5B202D4537B45644FE9E122EFC9B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:56.061{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C71F1A8C9742D38A8CFFEBDC68C2C9F,SHA256=2FC51B811C63C1D87F278D05E8AB0226790C509813D161D7B67B5CF1421C8CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:55.973{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:57.061{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2CC64534397C93E8F1D479537AF8D2,SHA256=481165EDBD911AF883197D562CB66B69667C7048CA9E45C030FA2711900D5906,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000057981Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:48:58.669{B13AE1A5-471A-6092-1100-00000000BA01}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74193-0xdeeb9d5a) 23542300x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:58.092{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559085D79C97F2F00DF5E9B040CA0DE8,SHA256=876828DD627F12363D1CC4F503C00CE4479F14B8608EA855F0272390D833C079,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057982Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:48:58.067{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:48:59.139{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D5D9BF2B49D0937C383A3DFF50431F,SHA256=D5D262CCAB471AE24D7DD58F78BA468453E59F09846B7A713ABAEDF538A140E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:00.217{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB208BC48658A49FE6CBD2A03EC5711,SHA256=067C26A53DFCFF70BD50279EBFF220E998452EC76FF5874F23CB1EED7181470B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:01.264{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA8D03C313BFF69B8EAF50B4544537D,SHA256=6293F8FA0627302CE9266A110C831230563BB9925C9548E03B03DC287A629897,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:00.988{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:02.279{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FB9698251A15A8063F1A7833819F52,SHA256=F05D3976F0E522B3AEE5A35A2B6D8B33B6FB56E12735C3530BA00A154975935F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:03.326{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EEECA06BB8C5B725F51A8C6FD393AA,SHA256=DD13B9B6E4EB983DFD0904073366B95A4C732CE4A54A70D8B1EA74C189895D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:04.420{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABFB9AA07F1F5BC0C2A1034DEEB57E8,SHA256=CC81ECB008EA63CD4D7F9E476122E195936D1DAD351E4273AD482149BEC95766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:05.467{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15A64ED941AE98B38C6834C1B288260,SHA256=906D2E3367B0A517532E5C940D320BEA4158BE509CE88FE686957C29B18DA8DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057983Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:04.098{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:06.529{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F7F1DA4630E479C5BCAC81251B7AB4,SHA256=4E6F3AC4A8782010A744124BF96B408B52DC15AF52AFD9A03385AC70204E2E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:07.576{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DDCB0EDE220D39B1B54F386F5194BC,SHA256=A665D5D7290CA8896AA6DC43612D8D8AC77BCC60F29056A5558A22BC850B353C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:08.592{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D5303C4231C38C3D55E945822B089B,SHA256=BF77402E2F68137B3A4C68EFD912CDC584FB0349098DF7069B405CB8F329DB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:09.654{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461E39E6189D6EF8D4A694448D6A86B1,SHA256=30AE504A719567547A4138C654866519143B46F1DA5B90E42A943A7E964E5690,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:06.848{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:10.670{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F69D3F701CE5E4DEAC55557D7801A0,SHA256=1A1F7A60E5E450CAF33CD70DB5BEECDC912789D3E44961529DE3501B1D8B8996,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057984Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:10.035{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A17-6092-A704-00000000BC01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A17-6092-A704-00000000BC01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.951{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A17-6092-A704-00000000BC01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.952{04D9AEC0-6A17-6092-A704-00000000BC01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.685{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B07DF658CE7F94E226AB2C16FED658E,SHA256=FC0461F871FD8211FB02645EF2B33B2AE46F7599F570B5A27596E9A5C125C306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A18-6092-A804-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6A18-6092-A804-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A18-6092-A804-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:12.623{04D9AEC0-6A18-6092-A804-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:11.894{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.357{04D9AEC0-6A19-6092-A904-00000000BC01}27361928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A19-6092-A904-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A19-6092-A904-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A19-6092-A904-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D1D09D0F9D847F86FA7E2AF811ADFF5,SHA256=126BA1E452B2E6D4BF65BEB5827344CAD531E2CF548C6B92B9E71F40F297D488,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.218{04D9AEC0-6A19-6092-A904-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2117D9DE08995EB749974A75800ABDE1,SHA256=F7CA075FC62913A0BDA1892995AE67FF3001B9C9D94F741995974271D91C0E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:13.216{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85EB181AC6747AB0D29327A555650188,SHA256=91006251C368767F5EE1833365E379F91677A48CF50384A116D2D0140CFE17D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.654{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.357{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6384D0E865BB41F631B9F02C6C98C869,SHA256=B2603D7612CF61730CA6CBFF8788CACB11AB1E5DB66EBC26E88081DB86C2D599,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.310{04D9AEC0-6A1A-6092-AA04-00000000BC01}40402812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.232{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D1D09D0F9D847F86FA7E2AF811ADFF5,SHA256=126BA1E452B2E6D4BF65BEB5827344CAD531E2CF548C6B92B9E71F40F297D488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A1A-6092-AA04-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A1A-6092-AA04-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A1A-6092-AA04-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.170{04D9AEC0-6A1A-6092-AA04-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A1B-6092-AB04-00000000BC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A1B-6092-AB04-00000000BC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.341{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A1B-6092-AB04-00000000BC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.342{04D9AEC0-6A1B-6092-AB04-00000000BC01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:15.248{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A295D1711EC1DF1282ECB48DAF89895,SHA256=53E6829A16BB086C5FE31B34832B98349DC07F5859BA051661205FE0638FF2B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.779{04D9AEC0-6A1C-6092-AD04-00000000BC01}36683700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:14.426{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A1C-6092-AD04-00000000BC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A1C-6092-AD04-00000000BC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A1C-6092-AD04-00000000BC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.641{04D9AEC0-6A1C-6092-AD04-00000000BC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7893A7D0821DF715552E6F96F376AB,SHA256=E893D98544BC705EF7AF056D819E88780ED100DB3134200C7330845180C7605C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.638{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA389FECE1E709823FCCEF628256B204,SHA256=C50AF3B1D6562F852B294717884DBFAEE04DED3556C31B9A040C718F93924EE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.154{04D9AEC0-6A1C-6092-AC04-00000000BC01}9681680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A1C-6092-AC04-00000000BC01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A1C-6092-AC04-00000000BC01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.013{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A1C-6092-AC04-00000000BC01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.014{04D9AEC0-6A1C-6092-AC04-00000000BC01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000057985Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:16.066{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:17.669{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63967DCDB01BE924D374268E3B74201,SHA256=4F612C1F23665EDC43F5520C8C69D93812EE5F6333E2263347E53E689667BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:17.638{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=924ABB174457E1B63BE4ED3780A9C6E9,SHA256=A2EFF3B88A15BB73A772FF5359FE5C137EC62166C6BEA49BE7AFAE39B34215B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:16.910{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:18.701{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186A5A53F8DE47E3B2EFCC4A133F9C3D,SHA256=0F734817F07D3759247679D46353E6187BF1D3ABA11AE7AF6B04B5C4B5C4D998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:19.748{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0097B819B265DCFB2C1099C8B1E9E9CC,SHA256=AE1D781E08C1DF506FB36B7614D7A2968B613286ADCE90196ED2E4029EB6ECA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:20.794{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD0663EC26253887727D1AE1DCE3A29,SHA256=5C8CB6684AF79112BD460CE5961D7AB0E17ABB1472FB069DFC0DCBC2F91126CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057992Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057991Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057990Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057989Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057988Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057987Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057986Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:20.997{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:21.794{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE9C38C15E26EE074B38B4EC12B1196,SHA256=978A5C27E6732229ED490EAAC29A34F6F0E2BE76691349B81833E595FD8AE04B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057993Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:21.082{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:22.810{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6499AA693C7C727E7C7B924EADD516FA,SHA256=B4C0B16792629FE6FD11BE1D0D6F95C33BFEE22C25AA668CDD21E467B62B318F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:23.826{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC7B46318E4AF6D48B1DD23B56E4820,SHA256=E06595DAE1BC4E055FB5BAA6A41723D36ACB0BC5FC04E45A61FB351A1D4FE6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:24.841{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3431C499D46A39311F030EE6868CD97F,SHA256=1749885141A9BC7C2857A883EC9A4B9C5804BED30E89CC6CA2275FAB2EA89526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:25.935{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0B75484121891FFEABCD4BCC33A3C34F,SHA256=38159451A9D00EB98989BC2992B4A0E22ABDA0C5EDD1211ECF1860A6AE498FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:25.857{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286D37727A7FB2CAFF884E8216D83F30,SHA256=B159D6D444D8E24B95078A5B8304313DA306F897DA028578CBF4C5CD654757C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:22.941{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000057995Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:26.732{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81874350F6CAFCD63CD921BAB1CBB42,SHA256=E0644FEC20A6F2BC569D3503DAD5643A07F6280E8B2403D46AECE558F4A56C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057994Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:26.732{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0C48ACBE35C13CE8BBFA7918B617A3D,SHA256=F823F605AF6E3E494BC1CF815D726779A6B7BDABC61221D005055558AFEA2233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:26.872{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442BE1ADC8E071DAA803E044F3B440F3,SHA256=492CA6DEA8BD1AB9E46B28808A8345BADF36603480CDA756A0882FFD6B8AE4B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057997Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:25.676{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local63942-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000057996Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:25.676{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local63942-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:27.888{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A73BC16C643F83B859B1031AD751FDB,SHA256=401127A2DA137AB2F41F3AC169EBA856E9091B6BE1F88E402A304FD847521949,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057998Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:27.097{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:28.904{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796E844C69608D234537A01F6E96825,SHA256=6388F2484F999E9215B3297E98718D1352BDEA86A4E526C2B0B87CC05923B1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:29.982{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC2070BAFE5DB711252202D6E7A0B8A,SHA256=DDB0E8E87A34F9073F095F50B2B194A965F5918B9EC1AF2A277BE87D31DAEE4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:28.957{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:31.013{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87869D6236D32BC6ED08E7B1E5C34318,SHA256=5F887927B92C2E21F7E6DE94A8EC3CD346CB267EF7453CF6A28C0BAD92C66219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:32.075{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC041E745E9D64A8259BCF8A2E621CA7,SHA256=B9F1668D4412625F328CC51E98BA97177FB35B25DA002D5D84830D0CFE8ADF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:33.107{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6064D8942572A04BFCDEE21C2BD3EB2,SHA256=7D6EA2887475BD3E68920E4C7BD7512CE03D685902F08C90B40E1F51F0BDA3DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058015Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A2E-6092-BD08-00000000BA01}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058014Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058013Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058012Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058011Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058010Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A2E-6092-BD08-00000000BA01}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058009Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.919{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A2E-6092-BD08-00000000BA01}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058008Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.920{B13AE1A5-6A2E-6092-BD08-00000000BA01}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058007Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A2E-6092-BC08-00000000BA01}7592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058006Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058005Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058004Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058003Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058002Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6A2E-6092-BC08-00000000BA01}7592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058001Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.247{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A2E-6092-BC08-00000000BA01}7592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058000Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:34.248{B13AE1A5-6A2E-6092-BC08-00000000BA01}7592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000057999Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:32.160{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:34.122{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24BCE3B72CD5DCE2981EC16510D886E,SHA256=E9B3DAE411D80D13CFB1D7F28BA154558EA5FD978A510E400E49ACDE24A25D41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058026Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.591{B13AE1A5-6A2F-6092-BE08-00000000BA01}70127468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058025Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A2F-6092-BE08-00000000BA01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058024Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058023Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058022Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058021Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058020Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6A2F-6092-BE08-00000000BA01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058019Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A2F-6092-BE08-00000000BA01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058018Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.451{B13AE1A5-6A2F-6092-BE08-00000000BA01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058017Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.294{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=552265A631ACCB1449DD2B477D98771A,SHA256=E40620CEEF3D47747209BCC13AF42AA90E34397E748B6BA6F818761E9E379757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058016Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:35.294{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81874350F6CAFCD63CD921BAB1CBB42,SHA256=E0644FEC20A6F2BC569D3503DAD5643A07F6280E8B2403D46AECE558F4A56C9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:33.988{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:35.216{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D81DBD425556440A9ED6FCA3DC331C8,SHA256=4805256A93EB5239EFBCFC993FC47C01C5D8C10E4CE47D582AA3592C622DC7BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058036Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.747{B13AE1A5-6A30-6092-BF08-00000000BA01}46887684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058035Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A30-6092-BF08-00000000BA01}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058034Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058033Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058032Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058031Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058030Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A30-6092-BF08-00000000BA01}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058029Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.591{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A30-6092-BF08-00000000BA01}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058028Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.592{B13AE1A5-6A30-6092-BF08-00000000BA01}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058027Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:36.466{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=552265A631ACCB1449DD2B477D98771A,SHA256=E40620CEEF3D47747209BCC13AF42AA90E34397E748B6BA6F818761E9E379757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:36.325{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799BF9C1C2055E81799E947C206D3843,SHA256=8F3C8BD8807DFAD4902AC4BB8DB01D8C4913699B6BD066D60B0D8372BE6EF4A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058054Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A31-6092-C108-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058053Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058052Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058051Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058050Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058049Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A31-6092-C108-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058048Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.935{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A31-6092-C108-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058047Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.936{B13AE1A5-6A31-6092-C108-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058046Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.622{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6478CE4435CB0B8DDFC3003707A6E9,SHA256=45EBFE2C3B9E3B9A40E8C017623DE43D0DF5403CEA7E2D9BF13AD07C23F7D292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058045Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.404{B13AE1A5-6A31-6092-C008-00000000BA01}55488172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058044Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A31-6092-C008-00000000BA01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058043Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058042Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058041Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058040Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058039Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6A31-6092-C008-00000000BA01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058038Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.263{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A31-6092-C008-00000000BA01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058037Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:37.264{B13AE1A5-6A31-6092-C008-00000000BA01}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:37.435{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33399C70749C5779BC1A68F42B637E2B,SHA256=F756EF27C2676C5DFE5B71DEAF7FE1BCFA53A61BA2F68F62A4F6BB3801352FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058056Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:38.935{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4FA97E85C87AA42A7DAE989F9487AA5,SHA256=95604B4A61475B60C343C96B78AFFC7D064BCE6AFA50CFD93555C1CAFA9108BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058055Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:38.076{B13AE1A5-6A31-6092-C108-00000000BA01}43686956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:38.466{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1B66288FE54D4115F1D429AC6697D,SHA256=562F2DAEA76AE1189A909073D4B721D0B685C09F9A969A7AE2B25A7D6324995B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058064Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A33-6092-C208-00000000BA01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058063Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058062Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058061Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058060Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058059Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A33-6092-C208-00000000BA01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058058Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.872{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A33-6092-C208-00000000BA01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058057Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:39.873{B13AE1A5-6A33-6092-C208-00000000BA01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:39.497{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3FE806AC4473D153983B7CC377D790,SHA256=8FBABD9306C4FBC32763E26C09BA98132D2E122C46069F252DB2A2D6646A5B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058066Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:40.919{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=495D9399E4B3355D4110D2473B61085D,SHA256=123DF9BB8F76BBDED2867716B394772C3ED5CF23EDB2A7DC614FCB52F1D6AF20,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058065Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:38.160{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:40.544{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0050B2BF527A1C53A0202988EC84B328,SHA256=B7249B1602EF76EB3D145A6C6FB4671683A00B9497E389CAAF994D7006847B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:41.591{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A24CC84337267A834A1FBDA0C947655,SHA256=8E00FC276C247FD5CDC88C5CB53711F850A90625B4CD3103D0516F4C5BB3E5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:42.653{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAF8AE4590CDA7E245BACE06470CD03,SHA256=645E84FEAC9D041D93E91FC224623F879B2DD59A60B5DF0C2CCF98622C471DCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:40.019{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:43.685{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E9FD5597D90DDD779763005A012E4F,SHA256=C2B601B923BCEE06A9322F52C36473A75544B22042869CDC89E7442F92CBB661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:44.731{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791A026CEE55DD4679A13269EEA4B3CD,SHA256=27A04561E65D852257542EF002B4EE38D4B1FA69F3130CD7DD0CDEAFA8800DD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058067Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:44.128{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:45.856{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C106991707A843764D667395D7E2D8,SHA256=B6712667B6D1AB20CC1BCCF04EB9B49CE90976EDFB15BF3EB1CBD21CC84CFF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:46.888{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4975F91A79097FA810E901A3F1C3384,SHA256=D54A8B4D150756431A595697789EED51953BDE0FB22D6CE8B8C1D425399A0079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:47.966{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2131319485E3D4AD4520EC07AC4DF50,SHA256=999E9BE2BC01A7E84D5737153DF6E12D2553C22707A540A1257C182F74D57934,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:45.847{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058068Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:49.700{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:49.044{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F50FD4525BFEE584FD460D1DC91D23E,SHA256=19144FD519A59C677736CF6F71EADE4A1A3C83E7C9F52072845340C26DA2F67A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058069Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:49.160{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:50.044{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7674705F2633527B7C189BC86CF43A19,SHA256=FAB6A3EC9BA2A58D3E4638CEA4D9FA73D56C859CB0D300B9BF10C01CB759D4A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058070Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:49.660{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:51.091{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98B32D075AB2295B1D52F604D474540,SHA256=8C048548C6B051CDF37D5DB9F80C4DCB2CF6154C31E972D69B0AD9F9696FAC8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:50.878{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:52.200{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972E88D175501BC53EFBD548D9A31424,SHA256=FF517C02BE0220329E135EAEF0D5DC921F8832D6CAFF548A209257F149A168AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:53.231{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D798F4FA494519EA2938AB76C097460,SHA256=B6549DE6EFDE838F1FD4D964E86EF587F4E78078246140E9B4F687F7D27D0158,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000058084Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000058083Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000058082Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000058081Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x60927852) 13241300x800000000000000058080Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x60927690) 13241300x800000000000000058079Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x6092714a) 13241300x800000000000000058078Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x60926a42) 13241300x800000000000000058077Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000058076Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000058075Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000058074Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000058073Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:54.779{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000058072Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:54.341{B13AE1A5-471A-6092-1600-00000000BA01}15726392C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058071Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:54.341{B13AE1A5-471A-6092-1600-00000000BA01}15726392C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:54.247{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4787B98930EED3A1DF17DDFD270BB7B6,SHA256=68B3ABF1B619FDE14A7C6531E2EAA03D83105FF3BF9F043475E3E16BDD28B735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:55.294{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7003E63472FE2696C8FA46949DB18E9D,SHA256=BFFA33E27E044122EE189890AE5ECB44ECABA16E24D4251D6C91690EAD13AF5D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000058102Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:55.611{B13AE1A5-471A-6092-1400-00000000BA01}1332win-dc-7631460-C:\Windows\System32\svchost.exe 13241300x800000000000000058101Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000058100Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000058099Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000058098Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000058097Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000058096Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000058095Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000058094Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000058093Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000058092Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000058091Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000058090Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-763 10341000x800000000000000058089Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.810{B13AE1A5-4718-6092-0B00-00000000BA01}8604296C:\Windows\system32\lsass.exe{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000058088Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:49:56.810{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 354300x800000000000000058087Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:55.191{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local63949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000058086Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:54.753{B13AE1A5-471A-6092-1000-00000000BA01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-763.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000058085Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.544{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=83AEAF5AD0FE1530AC9E01512EC0C669,SHA256=F96383FB6C07FE39D9C20BBA2F873BEA863573D2AA38DC794C92E49C3AB12227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:56.309{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42102EA1397C56DBC0E58AE63EDE0884,SHA256=D38C74B5D974F9B902E9FD6C25E8E2A9D94C0DD168388DD7F90413B8353C3BD0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000058110Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.813{B13AE1A5-472A-6092-2D00-00000000BA01}2464attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x800000000000000058109Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.812{B13AE1A5-472A-6092-2D00-00000000BA01}2464attackrange.local0type: 2 win-dc-763.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x800000000000000058108Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.812{B13AE1A5-472A-6092-2D00-00000000BA01}2464win-dc-763.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x800000000000000058107Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.812{B13AE1A5-471A-6092-1400-00000000BA01}1332attackrange.local0type: 2 win-dc-763.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x800000000000000058106Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.807{B13AE1A5-472A-6092-2D00-00000000BA01}2464win-dc-763.attackrange.local0fe80::b974:a305:c345:f12f;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x800000000000000058105Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.802{B13AE1A5-471A-6092-1400-00000000BA01}1332win-dc-763.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 23542300x800000000000000058104Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:57.825{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABFB456F4A73E2D09EF4B1122243DECF,SHA256=FF65EBBE6BA341A63F910A4D5504D7127D7AD884E1CA2E6A5A94854C26E0C1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058103Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:57.825{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F48CD03BB27736370B065234130ECDC7,SHA256=3FF4C8D5E3A3752FC821892D3C9E3E04FF3DB30BEEFE9E1039938D5C28E7D841,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:55.893{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:57.325{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD64BFEB3E01AC3C3D03110B1451EFA,SHA256=666C0211E074A85B7918445458B2C6540CD2C4F0360DA61F5F7413FA134B4AA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058114Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.789{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-763.attackrange.local53991-false10.0.1.14win-dc-763.attackrange.local53domain 354300x800000000000000058113Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.789{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-763.attackrange.local53991-false10.0.1.14win-dc-763.attackrange.local53domain 354300x800000000000000058112Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.788{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.14win-dc-763.attackrange.local59652- 354300x800000000000000058111Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.788{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-763.attackrange.local59652-false10.0.1.14win-dc-763.attackrange.local53domain 23542300x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:58.450{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809CEA944CC3201565528B84DB5EE48D,SHA256=6A3FB4B554DC09B14B581EFB8F83076B34DF7E9AF72C889B1C235C29C0064210,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058124Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.798{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.14win-dc-763.attackrange.local63246- 354300x800000000000000058123Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.798{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local52751-false10.0.1.14win-dc-763.attackrange.local53domain 354300x800000000000000058122Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.797{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.14win-dc-763.attackrange.local52751- 354300x800000000000000058121Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.797{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:fa4a:b761:c800:3ad8:9be:ffff-52751-truea00:10e:ffb9:300:0:e9d9:a4ff:ff83-53domain 354300x800000000000000058120Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.797{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local62016- 354300x800000000000000058119Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.797{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local59652-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domain 354300x800000000000000058118Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.796{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local49595- 354300x800000000000000058117Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.792{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53992-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000058116Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.791{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53992-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000058115Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:49:56.790{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.14win-dc-763.attackrange.local54378- 23542300x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:49:59.528{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015A4372BFE00DC8BD28642CA30F20F8,SHA256=799026E8167C44962C9C3F8D84CEF2C9F0E27DCC4DEAA720333CEB52B7EBA62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:00.653{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A12516D2975BEFBD536088B2CE54C39,SHA256=48EF6D438149D0463169867168593A05A38DCE09203FDAAA10243DB9F449DE57,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000058125Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:01.654{B13AE1A5-471A-6092-1100-00000000BA01}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74194-0x04763ae2) 23542300x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:01.715{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46846C0A1E6342EB0B96600F42687ECA,SHA256=BB8555F9B3F9548F13CB489200C8034BF86A8A81821B050E7131D0377CCA4494,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058126Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:00.237{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local53993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:00.956{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:02.809{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378FB8C92376E63906384E1C73E43A3A,SHA256=8B85454E70F9E257F1CD32A02BACA15B7D1A19875C124A551B0700A8AAE63B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058127Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:01.612{B13AE1A5-471A-6092-1100-00000000BA01}1184C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-763.attackrange.local123ntpfalse51.105.208.173-123ntp 23542300x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:03.840{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEBDCF119CEFBC724A5AC031E7E39AA,SHA256=1A8149637A6466973DB670F336A5C6A456B59DD06ED995D140DBCB0C709CA2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:04.856{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15FD0571D542FB672A5D046208D58E0,SHA256=B11CA6BCA20BBA92D719D8F51EBFB37D6756708C7BF5F4613B06560BADCC6D2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058128Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:03.159{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local60167- 23542300x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:05.887{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAB9100A5EEE3F066657D2AE0E166F1,SHA256=10E6DCDBFA57D8CAC8E757456CD149C84DC00B6604BB9BAF838CCEED120E98E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058129Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:06.018{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local53994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:07.028{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE75DBC9169C77A84EE8BF7E9FC1211,SHA256=D276FDE6DE07C273B11E5CBD80EF2C48B77A46A80B16246990E159CB53E94526,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:06.971{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:08.075{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FE8494488D51E2F1E6E58587CB51AA,SHA256=4E422E01B81BC9E6BE344E852FD3E5DD42DD29C7224DD12E8455B41247C42669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:09.090{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D23437D1A39CE8CA6AB3511C8CD00E7,SHA256=4A222BD95B45BFA8C4CEF56B465BC2E6E1E4A704FBAB462CED63AA598BE61929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:10.153{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19418C9180C4DCD394F29EDE956B7497,SHA256=C6B725B5393652F97575F9439BCD7D057E935395B3234E884314A023A7A18A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A53-6092-AE04-00000000BC01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A53-6092-AE04-00000000BC01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.965{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A53-6092-AE04-00000000BC01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.966{04D9AEC0-6A53-6092-AE04-00000000BC01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:11.184{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67ACA450C1E595EA6B87C0D0C81F5F3,SHA256=B35792E4906CEBCD0AFED2652F32955FA54BC245F61CBBA1B60EEBAD97247F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.778{04D9AEC0-6A54-6092-AF04-00000000BC01}6602840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A54-6092-AF04-00000000BC01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6A54-6092-AF04-00000000BC01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.637{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A54-6092-AF04-00000000BC01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.638{04D9AEC0-6A54-6092-AF04-00000000BC01}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.246{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C14CAC97AD4922C5E2CC7784A0C19E,SHA256=F02CBD9815FB11BF0C7727E82CE73C11C77C8095A02479EFD7B1A3B88EDF28A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058130Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:12.018{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local53995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F1294DC6CDC9E8C501F8EA443D04F2,SHA256=F034AA1DE3501230494C8CC7573243AAA508C9444BC771526FEE05C7E9AC08B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A55-6092-B004-00000000BC01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A55-6092-B004-00000000BC01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.309{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A55-6092-B004-00000000BC01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.310{04D9AEC0-6A55-6092-B004-00000000BC01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.012{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB249999E57704DFF695E8741DAC14A,SHA256=74FAB51BA36B01E249EFE2AAFC99891DBEACA010E1ED3FCBA274601616376B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:13.012{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2140543CCAF6A705C3F97035F299C627,SHA256=76D43D4B4E90BDBCF96F772947C7703A7E5012C7BE96BB79C58FF85A4383CBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.684{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:12.831{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.574{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34682AB6B0E0CE559C12C88FB666B082,SHA256=9632E48EB4B445143919965AEA8268E74BB4B4242FBB282563CBBB4559AA8613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.574{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB249999E57704DFF695E8741DAC14A,SHA256=74FAB51BA36B01E249EFE2AAFC99891DBEACA010E1ED3FCBA274601616376B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.309{04D9AEC0-6A56-6092-B104-00000000BC01}36083408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A56-6092-B104-00000000BC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A56-6092-B104-00000000BC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.168{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A56-6092-B104-00000000BC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.169{04D9AEC0-6A56-6092-B104-00000000BC01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.574{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8613ECA890B9063FA12F1A3FC3D8DEA4,SHA256=D410DBBCB05C484B036C0E4644378C3A49B4BCB67788B52E9D7EF6884EAAB3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.481{04D9AEC0-6A57-6092-B204-00000000BC01}10961916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A57-6092-B204-00000000BC01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A57-6092-B204-00000000BC01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.340{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A57-6092-B204-00000000BC01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:15.341{04D9AEC0-6A57-6092-B204-00000000BC01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058132Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:16.482{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058131Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:16.482{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.824{04D9AEC0-6A58-6092-B404-00000000BC01}6401300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:14.456{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A58-6092-B404-00000000BC01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A58-6092-B404-00000000BC01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.684{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A58-6092-B404-00000000BC01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.685{04D9AEC0-6A58-6092-B404-00000000BC01}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.590{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DA4C62E16FF57951E5E840D33C9D81,SHA256=6CA692B76E7670E824181E277C83623F6FD59926FED8755CB7DC202A02792AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.434{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34E1376A1A34117889EB8D28965793C0,SHA256=7B566621038A9A91767E7AA429AA7C2EEECB4601C0F5300667A430CA4C0DCF02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A58-6092-B304-00000000BC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6A58-6092-B304-00000000BC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.012{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A58-6092-B304-00000000BC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:16.013{04D9AEC0-6A58-6092-B304-00000000BC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:17.762{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C368B9B129BA1F19370F873AEE93B57,SHA256=FF833A67CB859419BF784FF330D17BD151F0FB790C5852E890FF5D806FD0A452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:17.606{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E670F94205D12E315DDCB4C55FCFAC2,SHA256=A210C1B502015DF2613882F235242B5A606D1480C6D53A92B3CC0105EE5893EA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000058142Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000058141Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0089d130) 13241300x800000000000000058140Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418b-0xac446132) 13241300x800000000000000058139Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74194-0x0e08c932) 13241300x800000000000000058138Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419c-0x6fcd3132) 13241300x800000000000000058137Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000058136Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0089d130) 13241300x800000000000000058135Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418b-0xac446132) 13241300x800000000000000058134Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74194-0x0e08c932) 13241300x800000000000000058133Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:18.060{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419c-0x6fcd3132) 23542300x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:18.621{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9016F0BB7BAB9F265A64793E14BFE36,SHA256=AE91EF8953CD01A834E557D1CA6A593FD8CE488A4822B39120BE49DB658448E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058143Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:18.034{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local53996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:17.861{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:19.637{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC1FDBB840F359B0DB5D1413B39BB6,SHA256=8EAFF0784F5E3DC814D2938943C00FFD982BB1E8DD9BFC54474B6E34EE2FBB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:20.746{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5EBCF55EEC395116DFB8740F6A4DE4,SHA256=B68EB05633594EF19A7F6E0C194684147D9DF520410F3FAC1298B223001DE953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058182Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058181Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058180Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058179Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058178Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058177Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058176Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058175Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058174Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058173Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058172Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2C00-00000000BA01}2752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058171Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2C00-00000000BA01}2752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058170Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058169Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058168Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058167Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058166Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058165Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058164Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058163Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058162Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058161Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058160Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058159Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058158Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058157Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058156Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058155Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058154Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058153Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058152Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058151Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058150Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058149Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058148Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058147Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058146Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058145Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058144Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:21.685{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:21.777{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4B1FFF4AC1E961BAB04AAB8CB8788D,SHA256=E7DCE984291384143551A637E9BCB3AEB8DB9A1AD4BDDE1B7BC641D6576DA648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058183Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.435{B13AE1A5-4718-6092-0B00-00000000BA01}8604296C:\Windows\system32\lsass.exe{B13AE1A5-4716-6092-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:22.793{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0756AA6BC1A5D33C365E9BC7241E24A3,SHA256=86A6C2D0F52E14AACDAB5ED52A6648CD49950F0A3604DDDD495F1459F616EA36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058191Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.412{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local53999-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000058190Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.412{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local53999-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000058189Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.310{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-763.attackrange.local53998-false10.0.1.14win-dc-763.attackrange.local389ldap 354300x800000000000000058188Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.310{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local53998-false10.0.1.14win-dc-763.attackrange.local389ldap 354300x800000000000000058187Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.303{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local53997-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000058186Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:22.303{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local53997-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 23542300x800000000000000058185Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:23.357{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70FB3750DAA5B991724640C2192966A,SHA256=8529459925DE8B34AF32BDEBA58156A7E8B1F8B6B5581766018B7B93FBD5C790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058184Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:23.357{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABFB456F4A73E2D09EF4B1122243DECF,SHA256=FF65EBBE6BA341A63F910A4D5504D7127D7AD884E1CA2E6A5A94854C26E0C1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:23.934{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1796AF8673FD685DDFDA5B0860198B,SHA256=DBBDD448222E9AEDFA3606BF4FDD25AD6269ED679C3B278990B7B0ADB67CA9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:24.949{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C176449E1BA77BE51441CE391BB757E,SHA256=D8EF95AE95163B03E8855401D957A1B8EEE66074911EB8F1E696308A6FF18242,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058192Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:24.049{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:25.965{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD443005F5BEF32CB960F12044119E8,SHA256=458C28F4801A37F3CAF5FB45209AFBFD2A716BDF241F685FF99B80DEEFC2CCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:25.949{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9DD11816274200609DC5BBF1A7EEF5C2,SHA256=E690464B4A38B528243E7047642FE499167CCF5045E5224A028051A7BFA8DB9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:23.877{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058193Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:26.732{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70FB3750DAA5B991724640C2192966A,SHA256=8529459925DE8B34AF32BDEBA58156A7E8B1F8B6B5581766018B7B93FBD5C790,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058195Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:25.690{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54001-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000058194Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:25.690{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54001-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:27.012{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482B1A6C6A478B7384A963294593CC79,SHA256=29014FCD7334E8FE0C869BA82A7F03819E0B5531588D266861E29365E9DF1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:28.027{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451C13E5DFCD342FA8AEE34012AF246A,SHA256=3859FCC0928DF8BB97B669105D6484A8F69243C2876F2564989ECFA4C550DA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:29.043{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41952208773892A24F27AD236FC6219,SHA256=45566D4F4CCBDD203F1B30E0B74DDDBA4CE9148E231D6A6A74AE2133034DC12B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:30.074{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42C365DECA8B4200E64088CBDF413C2,SHA256=B7B88DF339191DBD49D74616347212F7266F4F6786CEC5CD5F19E88E49E0C492,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058196Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:30.018{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:28.908{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:31.090{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124712E898AA08FF4D00C8BBFFF3766,SHA256=88B532867138D66755E49B2132E43E2AB00C54AF81BF6DE8D8DAA98F76BD94FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:32.137{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B72F0F8A47E175A2D8C4C6949C32FE4,SHA256=957D743A6C2A77A7EF85CBA4B7D581F6DB08E0D356419497784E9750C6697A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:33.183{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9143686CB971D7220804AAFDB6D92B3E,SHA256=853BDEC7A36BA6C4B156365A273F5573EF9CE76511FBE85E547E63073F457DC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058214Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6A-6092-C408-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058213Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058212Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058211Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058210Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058209Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A6A-6092-C408-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058208Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.935{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6A-6092-C408-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058207Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.936{B13AE1A5-6A6A-6092-C408-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058206Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.279{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFDE97A5951732C7B46BA0C1825E689E,SHA256=39485C39CEFB680E0C7B755FCFCB966435D506B1345A8F7921161DA2246E6B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058205Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.279{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AB56FE904E9CFBD427E1FB52AA541A1,SHA256=B7D7A46786FAEB23CF42849B750552EB998C9B0490CCFECE85553FD44E79D6D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058204Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6A-6092-C308-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058203Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058202Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058201Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058200Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058199Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A6A-6092-C308-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058198Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.263{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6A-6092-C308-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058197Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:34.264{B13AE1A5-6A6A-6092-C308-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:34.246{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1B1B79A80EA4B8DA73E0CCA4232E63,SHA256=35949BBC8F22118DDDFCF50B7FAE5E33D84AA90F792BBEB0B2730383B0C8B4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058224Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.951{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFDE97A5951732C7B46BA0C1825E689E,SHA256=39485C39CEFB680E0C7B755FCFCB966435D506B1345A8F7921161DA2246E6B0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058223Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.747{B13AE1A5-6A6B-6092-C508-00000000BA01}81286532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058222Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6B-6092-C508-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058221Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058220Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058219Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058218Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058217Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6A6B-6092-C508-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058216Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.607{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6B-6092-C508-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058215Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.608{B13AE1A5-6A6B-6092-C508-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:33.924{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:35.262{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4508F8492BC498B00341AC458FC2114A,SHA256=25B38CEE077210C9AB70B6A758DBBDD89551850F3F9EA07F1EBB651030C677E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058234Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.747{B13AE1A5-6A6C-6092-C608-00000000BA01}81403816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058233Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:35.065{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058232Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6C-6092-C608-00000000BA01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058231Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058230Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058229Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058228Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058227Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A6C-6092-C608-00000000BA01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058226Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.607{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6C-6092-C608-00000000BA01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058225Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.608{B13AE1A5-6A6C-6092-C608-00000000BA01}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:36.277{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9C3FB4B95B526A5C4DA527E5EF1B8F,SHA256=C40F18FDE8DF4C070E75E98B2DD6C0FF6D71CB22FB0A112571F5FA3C2A1EABF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058255Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6D-6092-C808-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058254Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058253Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058252Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058251Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058250Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6A6D-6092-C808-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058249Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.904{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6D-6092-C808-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058248Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.905{B13AE1A5-6A6D-6092-C808-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000058247Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.651{B13AE1A5-471A-6092-0F00-00000000BA01}1140C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse51.161.104.168ip168.ip-51-161-104.net58394-false10.0.1.14win-dc-763.attackrange.local3389ms-wbt-server 354300x800000000000000058246Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.426{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54004-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000058245Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:36.426{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54004-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 23542300x800000000000000058244Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.638{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DABA761A0ECBD0BABD98D51C927C62D,SHA256=5B4CF5183CE0D6761F97AE1D4BCBD3DC70DA551BD1C7570E00008CD994A349B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058243Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.435{B13AE1A5-6A6D-6092-C708-00000000BA01}31206328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058242Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6D-6092-C708-00000000BA01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058241Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058240Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058239Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058238Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058237Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6A6D-6092-C708-00000000BA01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058236Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6D-6092-C708-00000000BA01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058235Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:37.279{B13AE1A5-6A6D-6092-C708-00000000BA01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:37.308{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C364308ED91931FA45FB5CDE278AB3B,SHA256=60A3F32B1B785D4A0C07C53CCC837F9D89B7AB4CE1C3D8A730AB229A96575D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058257Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:38.919{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C933F5B371DE860DB6C9BA54CE7FC575,SHA256=13A508C764D337A6DC87700E3E48373AD492567A878FB1DD1682D29EB87E2FA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058256Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:38.044{B13AE1A5-6A6D-6092-C808-00000000BA01}80408020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:38.324{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C572BE02690C0C9968A900E7134AEAE4,SHA256=CBEA454275BDF1ED4B51180DAB5A3F69BE80B731E61A7A60CF03220EF6FF9D5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058265Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6A6F-6092-C908-00000000BA01}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058264Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058263Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058262Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058261Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058260Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6A6F-6092-C908-00000000BA01}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058259Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.872{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6A6F-6092-C908-00000000BA01}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058258Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:39.873{B13AE1A5-6A6F-6092-C908-00000000BA01}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:39.340{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B8920BA7C0BF953F61B62B5A5B30B5,SHA256=A34C7E23F914A926489E129A105A49F4649E504D077BB234A32AD80331EC65E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058266Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:40.966{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57D4B04633D26436C99F7F0F0575FBB8,SHA256=8C8BFE52979C909E1979CF823BB5F5B6CAF7C20EE2A7CF3354F784C461E0E5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:40.355{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0FD6C81DDF33BB1D96B03568157B0D,SHA256=8BC6A3D042ABE4B5E2F724B34412D5DD396F2D5E6C4FDBA1055FC062354A8EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:39.939{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:41.386{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3249266AAD1DDA3992E1B03C090F48,SHA256=8C42102F29899557AF0FC408E91F62535A4104C1A64C73B304DC319D016A4D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058316Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.513{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEE81F36684C9B98AF0A65AD32FB23E,SHA256=ABA2138BEE1E2A503E0DC8640D41A4B893A615DCE8FE09A12A36E430CD455A46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058315Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.294{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6A72-6092-CA08-00000000BA01}2360C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058314Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.294{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6A72-6092-CA08-00000000BA01}2360C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058313Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.294{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-6A72-6092-CA08-00000000BA01}2360C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058312Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.279{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6A72-6092-CA08-00000000BA01}2360C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058311Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.279{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6A72-6092-CA08-00000000BA01}2360C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058310Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.279{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-6A72-6092-CA08-00000000BA01}2360C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000058309Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:42.279{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x800000000000000058308Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:42.263{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4\Config SourceDWORD (0x00000001) 10341000x800000000000000058307Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.263{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 13241300x800000000000000058306Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:50:42.263{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4.XML 10341000x800000000000000058305Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.263{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058304Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.263{B13AE1A5-4D0F-6092-F804-00000000BA01}44084120C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058303Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.263{B13AE1A5-4D0F-6092-F804-00000000BA01}44084120C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058302Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000058301Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000058300Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843712C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058299Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843712C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000058298Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0F-6092-F804-00000000BA01}44084484C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058297Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0F-6092-F804-00000000BA01}44084484C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058296Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058295Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.247{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058294Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058293Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058292Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058291Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058290Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058289Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058288Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058287Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058286Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058285Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058284Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058283Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058282Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058281Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058280Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058279Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058278Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058277Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-471A-6092-0D00-00000000BA01}1004916C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058276Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058275Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058274Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058273Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058272Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058271Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058270Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.232{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058269Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.216{B13AE1A5-4D0F-6092-F804-00000000BA01}44085100C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058268Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.216{B13AE1A5-4D0F-6092-F804-00000000BA01}44085100C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058267Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:40.080{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:42.449{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC979D23A941863EBE48C0A2E988E1C3,SHA256=2CD725AB5171566E67CE0E142ACA41FD9794F7547EEC5762DD7CAF97D86E0BB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058322Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.260{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54008-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000058321Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.260{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54008-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000058320Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.253{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54007-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000058319Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.253{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54007-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000058318Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.238{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54006-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000058317Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:42.238{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54006-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 23542300x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:43.636{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37BE345851E1B2FA50095C0D2A18082,SHA256=8C419B9E5540274647E43F750C054D17A15BF89539B4E5E265A4C1788A7113FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058331Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.154{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058330Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.154{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058329Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058328Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4D0F-6092-F804-00000000BA01}44084528C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058327Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4D0F-6092-F804-00000000BA01}44084528C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058326Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4D0F-6092-F804-00000000BA01}44082440C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058325Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4D0F-6092-F804-00000000BA01}44082440C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058324Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058323Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:44.138{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:44.652{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E202CBB0C9DD8049B2B109356B4C75,SHA256=13F10F4A8E1C4E460C544402A2E22AFFA226F8A5FBEAA66D06666AE221BEC806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058353Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058352Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058351Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44082192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058350Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058349Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058348Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085996C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058347Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085996C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058346Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085996C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058345Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085996C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058344Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058343Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058342Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058341Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058340Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.372{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058339Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.372{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058338Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.357{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058337Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.357{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058336Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.341{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058335Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.341{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058334Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.341{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058333Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.341{B13AE1A5-4D0F-6092-F804-00000000BA01}44087804C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+3c8ec|C:\Windows\System32\SHELL32.dll+e2187|C:\Windows\System32\SHELL32.dll+e20e5 154100x800000000000000058332Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.356{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:45.746{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CD56E5C2A438F39240AC5590CEAB78,SHA256=34BDD4488449B6F9D083333A7073430AD916AE950C533FFBCE2E417752F3BBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058354Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:46.435{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=366C96CF9948EE6F9268A47B20D40A93,SHA256=C0230BD6425E28C3D6500E2BCC015431FCE7694A9E2A4E1D4CFACAC18F87E772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:46.808{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651F884AA19BC2D802AF944EE9D39867,SHA256=8498A22CD6D132350284EE72CA5ED2DADA5D8F1B208E04567F6B9872F2C980DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058359Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:47.747{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058358Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:47.747{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058357Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:47.747{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058356Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:47.747{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x800000000000000058355Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:45.080{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:47.839{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBF7D45A02F255383CE3D5FEC077BA5,SHA256=65DBFE34F42952F59BDAC356775597AD5FA1DD82FCD6D66A542B73B3DC6F8F21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:44.970{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:48.871{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3366E8E768730B623BBE1D7A61214B,SHA256=4B21F625F766604BD535EE6D1D015B586D6E736042EFBFE6135A3E277B85BB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058369Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.732{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058368Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.482{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058367Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.482{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058366Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058365Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058364Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058363Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.482{B13AE1A5-4D0E-6092-EE04-00000000BA01}8163588C:\Windows\system32\sihost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058362Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.419{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058361Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.419{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058360Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.419{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:49.980{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871B428BB0B313795857CD11A4CEC62A,SHA256=06DA53F570FDB858DFCE56699D26CE620F883A5C37BE11B3C5ED351DD97CD442,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058370Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:49.690{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:51.027{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3ABECA7F0030EBAD87A63DC868A4C4,SHA256=4829066D41ADBC82E32C290672160A616BD5AEC9ECAD94AEE82C1DF28F42C801,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058371Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:51.080{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:50.845{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51529-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:52.199{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35281D57E97C3B0700B3B27D3D5DBFD,SHA256=D40F99E79D756FBA59D6BCB27705C1023E90EFD85B9E985F64FDF5B5536F4E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:53.386{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536BA0E0973FE28E0B311EA154290B9,SHA256=3B3CF943CCF1D746B143F67686017986DEF26DB543107056D5A73C58E462D40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:54.417{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A4B6430043458BFE5A3D15727F53F4,SHA256=8742CEC01EBAEB135836FA94467CEE6FA514A82E8F52725F56B70A3D9CEC6C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:55.480{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3685EABBF88620D00906CFE05E54F5,SHA256=7DE61EF215758DA37C403378B70DD07CBF4D363B1D2AD4D840118AF1A9427894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058372Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:56.560{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6FA2894B253B2607EDE269EA8339D082,SHA256=568256FDD218AB5FD0727547C98CD9C512CCD0468EC3F6F92A7745693CAA2FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:56.495{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786E479D5AA41DDBB4A267FAF3099903,SHA256=9B04A537CB833C438DB92D68766B5CD24F9E7FFAAA7D93F13584E836975D3DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058373Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:50:56.127{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:57.527{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDF4DE713CD18D5C71B8896C3ACD5DF,SHA256=DF44AA1C87833C626BF1B191D969240C4ED0135296BF4F0B4C6F8D8EBE91F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:58.589{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B539436045A80B4F6B4015D64ED37BB,SHA256=938D0FA9CFF8588DB3AB6908B3850FC95C4C8110169795B4B2FB2EE2CCE90339,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:56.876{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51530-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:50:59.620{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7B422B8663AE7C553F5B9809CC26A,SHA256=86FBB34C5E35396FE30E3700AFCC9664FC8E4D7C90909F7C7585F4DC2FA80FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:00.652{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5809B906EB2BE9AAC4C22E396B750D99,SHA256=F122ECEEE91812BAF7E37A8F041CF28FA0942F8AAA269793A8059FFD741B6D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:01.683{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771754AB21E1BBE31D5311880B49E4D2,SHA256=2051CCFFA00E9205473B3BF26DDCB8AB958901A4C5394505A63E791122C3FFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:02.745{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FA548693097D4D9FDD178D0131A46,SHA256=54800211E7568E2EFEFF64D57A65165EDCED092B7F057B7D47BF6C21FC980142,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058374Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:02.127{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:01.923{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51531-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:03.777{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F02625DF2C90CB5A66300B0B9081AF,SHA256=6E91C9EFDB0C99C2AE10EDEEF0F84AE387192BB45D2D89D328EC3A62118FFB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:04.823{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6550D60E8C5BA0723C9C0C3C080CF9AC,SHA256=7CA1925CB9A010A42A9AF1DB6240A3AF978E95B18BBBC6CCBA1796876CE711BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:05.839{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17093995C16DC9D94363EC01B197A4C,SHA256=CDDB842D57AAF7012253533FC0F0DF82F3CEB8846E14386FBF8D10A70177809A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:06.886{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731215BE3B5B7A934630FBD3BD782574,SHA256=A2D9740A1CBC7F1E04C606CFC1E2249A228F707460C0182DAD6D9D321C896CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:07.933{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD9BC702828A4E5B35632A4BA033019,SHA256=797C4BB84E58883169E9A5CCDEA12C32DA14ED1A9EFCE16ED47BB17F66961132,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058375Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:07.143{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54014-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:06.985{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51532-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:09.011{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E04B8FF9B601935E7D628BC28C0A84A,SHA256=11496485FC2937DF24653BC8BCC71E250E367F7315B4596E82B7D9E72B2906F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:10.026{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A159016F0D8B65350EAE1DBF7A01E956,SHA256=74E59F8A94C1C45319CAE407E0577CDFE18211BD9ADDACA64EA20EA10343E4E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A8F-6092-B504-00000000BC01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A8F-6092-B504-00000000BC01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.964{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A8F-6092-B504-00000000BC01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.965{04D9AEC0-6A8F-6092-B504-00000000BC01}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:11.073{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0E0CF4FD2F8B2DF711B128AF92F0FA,SHA256=EA23BCFF46A21C49197F683E51319824D5590647E1B694F005421D65F4CE1272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A90-6092-B604-00000000BC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A90-6092-B604-00000000BC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A90-6092-B604-00000000BC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.636{04D9AEC0-6A90-6092-B604-00000000BC01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.104{04D9AEC0-6A8F-6092-B504-00000000BC01}9481128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.089{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254FBF25A76EF7C9846BD1401FE78733,SHA256=920AF9FD15ABF94B69995556DDEC05BEBD8FC75F035E9EBCA1E5DA59E460483C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A91-6092-B704-00000000BC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6A91-6092-B704-00000000BC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.276{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A91-6092-B704-00000000BC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.278{04D9AEC0-6A91-6092-B704-00000000BC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.120{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B095B1F0A5E1D285DD43A4DD5B31147,SHA256=67205F5658236BC12D7EDB6F425F7368B326BF5DDB26E51E88C852EEFB0B0DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.104{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D2F822F7BC5E4C68AE3E21246FEB9D,SHA256=B8BDEAA5E1299DB79D40716327CB6F86061C2B1DB56EB35BD8DD6D394AC5F1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:13.104{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38667BE047EACB1506C0FD8199F6436F,SHA256=2205BEF4C3AC6202966D91546303235AF7D3889BE42CF8F0FE7F6D21C4DCDCBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058376Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:13.127{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.714{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.464{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D2F822F7BC5E4C68AE3E21246FEB9D,SHA256=B8BDEAA5E1299DB79D40716327CB6F86061C2B1DB56EB35BD8DD6D394AC5F1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.417{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A804CBD9A7A3021FAD6CE5E13E5B6C7,SHA256=0461CA821FBDE287102AFB5B9D3E3979F11B72BBF78BDB624B72AEBA420EB859,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:12.016{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.308{04D9AEC0-6A92-6092-B804-00000000BC01}17922548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A92-6092-B804-00000000BC01}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6A92-6092-B804-00000000BC01}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.167{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A92-6092-B804-00000000BC01}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.168{04D9AEC0-6A92-6092-B804-00000000BC01}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.479{04D9AEC0-6A93-6092-B904-00000000BC01}38363716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.354{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA901548FDB5960C2E723E675C3AD16E,SHA256=DCD24FDF7F0A36A0FD91B7756326377F335C954E903C44D42A7D45F7C64FFF0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A93-6092-B904-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6A93-6092-B904-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.339{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A93-6092-B904-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:15.340{04D9AEC0-6A93-6092-B904-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A94-6092-BB04-00000000BC01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6A94-6092-BB04-00000000BC01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.682{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A94-6092-BB04-00000000BC01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.683{04D9AEC0-6A94-6092-BB04-00000000BC01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:14.485{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51534-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.448{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E243E4C879B42CBEED1A2263391AB09C,SHA256=442C8190E4468B476F159F125027370EC92F8DAFEB973C9174F34B65D59B5DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.417{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F8273379C3CA0F99300C8B4DC0F1E0,SHA256=1980FC65F708E7EB9215150CE9789AEC271A731BAF3031F4D993F0B8143982AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.136{04D9AEC0-6A94-6092-BA04-00000000BC01}8803312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6A94-6092-BA04-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6A94-6092-BA04-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6A94-6092-BA04-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:16.011{04D9AEC0-6A94-6092-BA04-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:17.745{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C60289BE83B77A4902AC35005A600689,SHA256=88B66666DA07EF37125C85C08E955D183211FEA897096AA37B70E218E5B1D47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:17.464{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5429FF6EEA15DE6EA04DB9743D04707,SHA256=BF214574C4AFAF7A55175CB80162EF9642246295CD05FAF208F06581C3A90C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:18.464{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8502D3D80BFC011D569484D91A48C83A,SHA256=B13A1F231C0174D0AFF700805F0BA427BBD1369970242BD0C5691C2929430F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:17.891{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51535-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:19.479{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DCE714BB30B4AC1A7F227A035250,SHA256=1A3F605D14BCD0AF3C9F000B1A21928EDA62040FA56A40B8679F268177EA7D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058377Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:19.111{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:20.495{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A81CD10730B4AB6B6A02DFD3826201C,SHA256=75C269DDAD62E7E7B29C177154B96EE8878147B49B444894EDB38BAF6B5DAA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:21.511{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C8B7D5DB3CD2C7A6A98878122FB001,SHA256=21F0E0FE98364677D10F5C479E5A194EE97A936CA915A4B82179D5F1BBC823A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:22.526{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5CD3E75754EA4711ACBF8DA50BE51A,SHA256=EA69C05B76E37B9BD186C2CF56CCF8D5EE98555F994F490183C70A746B4C8381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:23.542{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E0A57D812D97BA9D6322486E4206D8,SHA256=6B4FD947B6AC369E1F85118B65CE23FBF932320717A3EF356EA6D4F97AF9715A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:22.922{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51536-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:24.557{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B9C956A4331D36B6636A75C60BCFA4,SHA256=6D0923E91E3E37A63D2AEEDBC647F27968C5F3261C3203D0DAE78BFB71D9A60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:25.964{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=13C463B903940EBA58BC1E9F3E99A4AE,SHA256=443890B27CAF1C74648A21B93F195537CC6B7D4D14E90366C496602EAF7D8B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:25.573{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB25D80BA659C68930E32A45E91E3F21,SHA256=6D954BC76559A46DDA46B9A8368D96476BA7F04466FFFB890503879B5A53D38E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058380Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:25.127{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058379Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:26.748{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D1C287F340830B97AC259D2DC7A99A,SHA256=65559977A71C03DB636CC9E6F6A4C6BBCC79A24551A08FE26D4F3F090C9A38F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058378Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:26.748{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC64F0D83216F38EE178D8A45C11DF5,SHA256=5A78887FB18A4475F659CF3FA97A8005CC62040870689E73C3F1BF1A4F21EA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:26.573{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CFAE20633AFE172AAF7C4CE8D76A54,SHA256=A42F5CA8AD627E896F0058478964D54BFF915DA8EC2FB39E3818029FDA19688B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:26.557{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:26.557{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:26.557{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058382Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:25.705{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54018-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000058381Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:25.705{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54018-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:27.589{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB51628CAEE39768B16C2F96F5EB132,SHA256=F89F75F5F281058205271F03A3009AD2F43B30EA9DBC1817C29931CA86AD97AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:28.604{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA4BAD9048ECD9F51FC6BEEC3F4B1B,SHA256=55CDCD26206CF936E148A953E5F78C77172D11E1F65E462A8423538336CB27A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:29.620{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB94949C0E30B3A0083801D536A6B09,SHA256=220E448F99FCF4EE4E8869F5BF65C36C257B144C486A4B2346B82187187C33CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058383Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:30.529{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-4D0E-6092-EC04-00000000BA01}2560C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:30.620{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA950EFF5AAE590F39AFA2445DA18EB3,SHA256=FCB5D45A31B070ABAD93C21AEA5459D46C7BA730D45B8283A207169F3DF7EFF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:27.954{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51537-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058391Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.716{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058390Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058389Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058388Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058387Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058386Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058385Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058384Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:31.232{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:31.698{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF478F930FF3FB6141F779D8E38C656,SHA256=33BDCE2C3B50910695F7AA3504DA353763354715285A6BBB96077AC209170503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058399Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058398Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058397Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058396Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058395Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058394Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058393Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:32.794{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058392Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:30.127{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:32.713{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE870A7F64AAF8CFDCF1984AAD5374A6,SHA256=187742EBD5A2915FFBC8AAD36ABF909FFDFA5CA494F804E9B14DFBDC64C982F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:33.760{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA1583EEC20EC1E69023B3BFC49663C,SHA256=5AC88C7E9914DBB01C603E47DA061DAC2F4023CB9680485D4FF20F33A409E1B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058415Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AA6-6092-CD08-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058414Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058413Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058412Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058411Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058410Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6AA6-6092-CD08-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058409Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AA6-6092-CD08-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058408Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.951{B13AE1A5-6AA6-6092-CD08-00000000BA01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058407Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AA6-6092-CC08-00000000BA01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058406Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058405Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058404Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058403Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058402Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AA6-6092-CC08-00000000BA01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058401Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.279{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AA6-6092-CC08-00000000BA01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058400Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:34.280{B13AE1A5-6AA6-6092-CC08-00000000BA01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:34.791{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93B873E47ABEA7BE6EE357851E6037,SHA256=706B0588A959768CE1B9CC5D75694C295A6953BD50BB2242BA74E9DECE3D38EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058426Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.763{B13AE1A5-6AA7-6092-CE08-00000000BA01}39004412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058425Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AA7-6092-CE08-00000000BA01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058424Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058423Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058422Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058421Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058420Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AA7-6092-CE08-00000000BA01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058419Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AA7-6092-CE08-00000000BA01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058418Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.623{B13AE1A5-6AA7-6092-CE08-00000000BA01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058417Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.388{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59671C8E7BADCF682F7A749E6A6AEC0,SHA256=8F8DDD2B6137ABF7FF136DBC83C1D0AF7D35C101301402AEE1590B41AF6B9456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058416Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:35.388{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D1C287F340830B97AC259D2DC7A99A,SHA256=65559977A71C03DB636CC9E6F6A4C6BBCC79A24551A08FE26D4F3F090C9A38F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:35.854{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A26929C23A7C2874CFA35E1DDB578,SHA256=D25D1726A98CF963F80F4BB908322FF08453C46FA9409AD32FD55866140703E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:33.032{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51538-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058436Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.763{B13AE1A5-6AA8-6092-CF08-00000000BA01}53486096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058435Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.638{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59671C8E7BADCF682F7A749E6A6AEC0,SHA256=8F8DDD2B6137ABF7FF136DBC83C1D0AF7D35C101301402AEE1590B41AF6B9456,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058434Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AA8-6092-CF08-00000000BA01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058433Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058432Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058431Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058430Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058429Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6AA8-6092-CF08-00000000BA01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058428Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AA8-6092-CF08-00000000BA01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058427Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.623{B13AE1A5-6AA8-6092-CF08-00000000BA01}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:36.932{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69533DA14EA42A8B6685657F17F65FFD,SHA256=5DCC76AE91CF99053763CF9FF24E2BF4C03682F2B27E5C6A2BC9F49E42BAE8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058453Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AA9-6092-D108-00000000BA01}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058452Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058451Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058450Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058449Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058448Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6AA9-6092-D108-00000000BA01}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058447Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.966{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AA9-6092-D108-00000000BA01}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058446Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.967{B13AE1A5-6AA9-6092-D108-00000000BA01}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058445Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.451{B13AE1A5-6AA9-6092-D008-00000000BA01}81365468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058444Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AA9-6092-D008-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058443Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058442Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058441Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058440Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058439Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6AA9-6092-D008-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058438Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.294{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AA9-6092-D008-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058437Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:37.295{B13AE1A5-6AA9-6092-D008-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:37.948{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F669168B1D4E2E01D312522B0BE4EB,SHA256=C9DCFF22F9A8E57C59D8D52A5AF9BAF1160B6E711BE96D9E98603355ACEF3376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058456Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:38.341{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59C97B2B702EF33CE42A17338BF9D17,SHA256=4FB5F53E07454AD01956212A567CC2A920855547EF89DCEC8C65EE7557794CAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058455Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:36.158{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058454Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:38.107{B13AE1A5-6AA9-6092-D108-00000000BA01}77447880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:38.994{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE542AA69C5ACEAFB935DDCC5FB16B14,SHA256=74EDF96293B74CC1723DCA8BF9D57646FAB00A6DA302FC987E7B1A95CAD37535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058464Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AAB-6092-D208-00000000BA01}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058463Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058462Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058461Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058460Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058459Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6AAB-6092-D208-00000000BA01}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058458Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AAB-6092-D208-00000000BA01}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058457Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:39.873{B13AE1A5-6AAB-6092-D208-00000000BA01}7204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058465Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:40.935{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE91373D5B90BF94A2EE5CA5C4FE071,SHA256=F3C568EE51E70F36D2096149CC32EF8BD5548ADE7F8A07223409205EC7422110,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:39.031{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51539-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:40.026{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A74932002B7DEC5E1F1274046A77605,SHA256=8787A31772CAE00AEEB1804ACA8D23E99F33E76CD023165617D69535BDAC0CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:41.073{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0839721D3EF4A5526FD64F36BD35BC,SHA256=56990A1218A05CB7F80C7953D7F95FE56055EF8C1F2C2AB9417044EC3AFC403D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:42.260{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CEF26551F06B66D0A48050530844A5,SHA256=A07055241774B1A82B524118FB7E2DDFC1DDB4606CF815745DA6AC6740AF0DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:43.323{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F868F6B324F17C1214CB4A4DCAC05A03,SHA256=7576B8CDA19946F88E49BC2FB07B3E440C948C489D2DB042D50EBC4BEA8088D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058466Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:42.189{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:44.369{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03201242DE12814ADE9CED0F3E3669B,SHA256=9CE30AEA3813BA45C5F41D91B045594821494D3DCABB1708AD01E0D3B0A609D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:45.401{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080147087279581F9C7CEE05D2F8D609,SHA256=826D577C1D81C6EF9A5149606D90DBECD7270517BD32BA77EBC636A0D797E798,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:44.828{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51540-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:46.479{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4F4C07D072E9C491743F6E52A7B4C2,SHA256=970A81685C9356CF679DC4D8BF352C1CEE78317AA8AC1B86163D4DCCF27358B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:47.510{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607630EE9FF24EF1225B5990509BD5CB,SHA256=383C3681FCA4C693C729DC7556FC068D8EA1129794FC9AF0EAA40B9A40F38C7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058474Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:47.189{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058473Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058472Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058471Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058470Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058469Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058468Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058467Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:48.044{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:48.572{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FEF3422E3D24790E7D567AE8FB7A4C,SHA256=8767B04F21E687E8B20E8DDEC1F9017B837003C4ABAE46AC1087282EA995021F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058475Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:49.763{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:49.604{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70DED90F1B3013F0404D5E1A2101255,SHA256=B0C7D7D1FF7F83C9CC75902C53D77E50B2A013B9F24D3BC612AA86508AC34D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:50.619{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9845871EBEAB8E595C9DD897FD0417D4,SHA256=FC180475F79971C0E04FA9618CB572AC95330D4C22F4146ABC14816BB1D1F733,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058483Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058482Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058481Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058480Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058479Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058478Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058477Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:51.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058476Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:49.720{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:51.650{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7874A373290430BBDA690342470CDAF8,SHA256=2687CF4C5B7CBA9136C3E80824412CC7C48FEB49319947E5AE9A1B8A1B881129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:52.682{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1977B1F88B46A24BF2C8886BB0E1648E,SHA256=14995EE1DC26DBE17221BAA39564D3DE520EC1308FBE8ABC873890360FF7D585,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:49.891{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51541-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:53.729{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB9041D673E5CB0A1FC2B69503D4FE,SHA256=C4C27FC7A558CDF4A5A43D633ECDF871A62448294632EF758C1F69D3611D11FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058484Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:53.204{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:54.900{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A11DBE9EE6274F7255307C006AEFF24,SHA256=08C1F7297DF0AF260FB02F306BBF912145C895359E5FF4DBD4F30D9C10B98279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:55.979{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38FFDAFC8DE7DBED614CB1430FBEF65,SHA256=3605C42FCAD696055182C4C922F572F36F155782662AEBC61D0BBD4F69965756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058489Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:56.576{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F62453C5FC7EE91737DB960BB45A145C,SHA256=2E7BC384BAE49BC3B896F224BC4645C8F94B45DB269CCF73F9BF2E7AA0CE7E0B,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000058488Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-DeleteKey2021-05-05 09:51:56.498{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 10341000x800000000000000058487Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:56.498{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058486Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:56.498{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058485Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:56.498{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:56.994{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C71E04FF98AB6BC2BB91E61604BF8E,SHA256=5A4A1E989B1616127D6273E4E2538AE3C471159DA58F5A243B78D2998BBB194E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:54.953{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51542-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:58.010{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2089EA9E2377EF247D93791478CAC7A6,SHA256=11EBC20EEE468B8B9DD05E074B49B7B6C0FB6E9DD84268395A168DFFAA394931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:59.025{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76AC88451085FED60A3B48E35C10C52,SHA256=D1277EF30FC3022A7183498650199C5273FDDC84E950C4A8C3C52845C2528D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058490Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:51:59.220{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:00.041{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB02E79A5740B499F6136A7CC9B7A340,SHA256=7571C2FC81DF0260DB7C6A2F8274ABD00656C7584F02BBF66F129F8A5E550B1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058497Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058496Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058495Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058494Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058493Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058492Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058491Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:01.029{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:51:59.984{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51543-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:01.057{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0895F3CEF2FFF3559C1FD1F0CC4DAC,SHA256=C2C21F928AC9A13199C1BE77B14AFADD0B91965AA112FF91304214196649921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:02.072{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6CB12C3726356A2D593955366DC31D,SHA256=9A1FA04DC1FB2A186F2CE127DBB9C572654792B89CC88B1F2ED9FA1B88DBE0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:03.088{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72882E1742C39F70E672F1D84372F326,SHA256=8BFCFEB83E7BF83DFB8FC2BE1886A546E2B76F0748BAA73392C67409429968C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058500Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:04.373{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1100-00000000BA01}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058499Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:04.373{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-4719-6092-0C00-00000000BA01}608C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058498Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:04.373{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-0F00-00000000BA01}1140C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:04.103{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41A4FF722E2A709469A67476204381A,SHA256=F255775F7E5DC5568C01FB118CC76FC3FDEAFCC3EC94CA518BD11530BD9C8B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:05.119{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D7379746A224D4B8CEB4E164022D5B,SHA256=315999D25C39B5D157F6B8E486D79E3BB04C8FB4D51C208102A36EDDC3A29C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:06.135{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B982A1A9F3365D40291F901E805F614B,SHA256=48D7830C2B482F75999702B26D7275AFEA02FCC94C5D343C70F6299BD98716AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058501Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:05.235{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:07.135{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE43F612C4F21005704DFAC28E746E9,SHA256=E28AFCF023CBFE0695AA249507B9AD593C24DBD96FB3FCA3357F6D1DC629D46F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:06.000{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51544-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:08.150{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93F74015A588777EA7C0370538C03C8,SHA256=4648268D0724CE9E51B1DF9CEDCDE153725B5E50585947DE416AFF1BCE4F68C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:09.166{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0D5F3880A0E2A1F17D69128ECEE0E8,SHA256=BF20DBDCCF01715F613771404F68192010E204A18DA9EAF62FB3825BF2091B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:10.166{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA8B3577673DFB149BD10F0D42088AF,SHA256=FA53DC4323DB252D2C60099C32B17DBD135F42A05D2F4C7D3E930C419B515800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6ACB-6092-BC04-00000000BC01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6ACB-6092-BC04-00000000BC01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6ACB-6092-BC04-00000000BC01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.963{04D9AEC0-6ACB-6092-BC04-00000000BC01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.181{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518F3C05633E6090453E41AAD272AB8D,SHA256=E0473F775C1D98D01D31D8BB548DCC24B84BD4557543348353D225551F3ED614,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058502Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:11.001{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.978{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8E9A72E3E85A5E90E2B011F7BDA1DD,SHA256=730B0129683D4513F7CD774657831517C41B12D5BA11784DFBA3A233C18FE31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.978{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71CAD9FD54C903B7509D9A6E07A23B16,SHA256=EBB30AC56C37E99D80B194E7AE76B82CBA8F526C297D55E2E59D8DDCC5ECA1D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6ACC-6092-BD04-00000000BC01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6ACC-6092-BD04-00000000BC01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.634{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6ACC-6092-BD04-00000000BC01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.635{04D9AEC0-6ACC-6092-BD04-00000000BC01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:12.244{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD19ED9AD249120BF7F56792ACD52AAF,SHA256=22E80131396A4A50B32198C1416CD23A62C9408EC5779FF03D14B7519C5A2E76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058505Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:13.685{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058504Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:13.685{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058503Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:13.685{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.431{04D9AEC0-6ACD-6092-BE04-00000000BC01}38281092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:11.843{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51545-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6ACD-6092-BE04-00000000BC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6ACD-6092-BE04-00000000BC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.291{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6ACD-6092-BE04-00000000BC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.292{04D9AEC0-6ACD-6092-BE04-00000000BC01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:13.275{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8094781F8E68DEB90FAD1889A61B6101,SHA256=D26AE5D5716F62530105EDDD9AB695B6CC7ECE36AAF5672DB66C7F99E40C1979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.744{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.478{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AB59BA3698C7A26E256404128052A9,SHA256=E99B1A07FB815E2F31AEE8BFADCB9A9AA9BFE3463D61F36C9C6EA8CE55701A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.306{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8E9A72E3E85A5E90E2B011F7BDA1DD,SHA256=730B0129683D4513F7CD774657831517C41B12D5BA11784DFBA3A233C18FE31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.306{04D9AEC0-6ACE-6092-BF04-00000000BC01}18122796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6ACE-6092-BF04-00000000BC01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6ACE-6092-BF04-00000000BC01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6ACE-6092-BF04-00000000BC01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.166{04D9AEC0-6ACE-6092-BF04-00000000BC01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030088Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.494{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4910198BC946257FF513A6068A754E8,SHA256=F30FB4CCDE9EA16ED4F70832086D37C860FFC7E86857EFA4277EA0D8ACA52EDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030087Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6ACF-6092-C004-00000000BC01}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030086Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030085Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030084Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6ACF-6092-C004-00000000BC01}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.337{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6ACF-6092-C004-00000000BC01}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:15.338{04D9AEC0-6ACF-6092-C004-00000000BC01}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030119Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.822{04D9AEC0-6AD0-6092-C204-00000000BC01}3744956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030118Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6AD0-6092-C204-00000000BC01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030117Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030116Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030115Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030114Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030113Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030112Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030111Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030110Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030109Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030108Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6AD0-6092-C204-00000000BC01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030107Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.681{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6AD0-6092-C204-00000000BC01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030106Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.682{04D9AEC0-6AD0-6092-C204-00000000BC01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030105Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:14.515{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51546-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030104Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.525{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDCF50FCF515F9D967BD18811FEC32E,SHA256=287CA6D4161206B3D495354BAE41315C76EDB0E5C80A5691D3828C8FC7A38741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030103Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.416{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC01CB11535AA88B916959C15968D8B7,SHA256=4EBD48BD27D2372444DA6744B425D626EE8D0048B4ACFC747C3BBF9F6B8D70F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030102Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.134{04D9AEC0-6AD0-6092-C104-00000000BC01}19003384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030101Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6AD0-6092-C104-00000000BC01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030100Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030099Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030098Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030097Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030096Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030095Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030094Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030093Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030092Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030091Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6AD0-6092-C104-00000000BC01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030090Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.009{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6AD0-6092-C104-00000000BC01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030089Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:16.010{04D9AEC0-6AD0-6092-C104-00000000BC01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000058506Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:16.079{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030121Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:17.775{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2123FA7B4E0FDD3B479005143579849A,SHA256=6E9FFB1F659140A4889BD9D9F89A86E871E400D3110027E7985BB21B21EDECBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030120Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:17.572{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7676D29B2A9467A460781987A2CB177,SHA256=202595E87A980C67AD56B90A918BDEACB1B20248CD37B4A2C6FFC5188A9BD750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030122Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:18.587{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1156D23E8B8128F69951304E9D5C81,SHA256=56A63C3FC2FDEABE01B86FFB6E85BF0B55C6A0D779D19E31284B63EBF3AECA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030124Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:19.665{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B777016232E8DEBE53C90ADDB1349810,SHA256=71884024D1F266F714454C11990F3B062095E117252FFDF0AA1939F2337D18F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030123Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:17.875{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51547-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030125Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:20.775{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F43D631A6530A6ACD4AC846F64B792,SHA256=CAE7D260CD069249DE11FE4124ECF744AE52B2FB570D1BF22944A7AE63C79E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030126Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:21.822{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71200AB874C2F934B993DB49C398C3E5,SHA256=1749E3005495792F98F67FADB128F1657409396B36CC2D0C78E3503A3128D4F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058507Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:21.079{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030127Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:22.915{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD487553560A8ABC0D35AC8DBAAC9B55,SHA256=83627CED5ECBDBFBBFD1DE1B46F563689A61C9FEA27EC75C66E06BBE45D46F5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058533Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058532Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058531Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058530Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058529Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058528Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058527Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058526Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058525Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058524Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058523Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058522Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058521Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058520Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058519Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058518Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058517Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058516Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058515Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058514Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058513Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058512Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058511Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058510Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058509Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058508Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:24.373{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030128Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:24.087{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EC5D2FFF9A2FEC9907AEBD2AC3D9CD,SHA256=1D512900482E299C98171999721E7A6E8BA030A4F1323B2C00E49FA165487349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030141Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:25.978{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2BA114CF53488B3691D8D39C7DEBCA1C,SHA256=70AB61A79E5BF85A249D7D051C1802C72CAA690A38FC5C7E09C2909E4BB4510F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030140Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030139Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00830e89) 13241300x800000000000000030138Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418b-0xf8060421) 13241300x800000000000000030137Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74194-0x59ca6c21) 13241300x800000000000000030136Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419c-0xbb8ed421) 13241300x800000000000000030135Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030134Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00830e89) 13241300x800000000000000030133Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418b-0xf8060421) 13241300x800000000000000030132Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74194-0x59ca6c21) 13241300x800000000000000030131Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:52:25.384{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419c-0xbb8ed421) 354300x800000000000000030130Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:22.890{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51548-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030129Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:25.103{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68D38D8F95F502D69D3C5AEA46C14D5,SHA256=B8E8D11ED38F611A8084E93A5ED57B4C7FF8EDD01FA875AC25B93C561F58D19D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058562Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.904{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058561Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058560Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058559Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058558Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058557Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0E-6092-ED04-00000000BA01}46847336C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000058556Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0E-6092-ED04-00000000BA01}46847336C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000058555Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44085832C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058554Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44085832C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058553Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44085832C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058552Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44085832C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058551Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058550Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058549Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058548Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058547Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x800000000000000058546Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058545Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058544Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.873{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058543Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058542Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058541Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058540Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058539Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058538Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058537Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.857{B13AE1A5-4D0F-6092-F804-00000000BA01}44083460C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+20f2e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+1755c0|C:\Windows\System32\SHELL32.dll+17c79c|C:\Windows\System32\SHELL32.dll+19ea68|C:\Windows\System32\SHELL32.dll+17c936|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000058536Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.859{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\SplunkUniversalForwarder\bin"C:\Windows\system32\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000058535Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.795{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A48F4B7183EBDB7E69E2E9473D909C4,SHA256=36E0049F3D025BC431F051A48E1D2FE171355BE43895EBE7A45416113AFD50D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058534Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.795{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC0C9D143FC133C4844C8C713D7318AF,SHA256=903F75B5830655806F1B371A13201C2907198C98CBCB4C3309BCD94DF8C6E490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030142Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:26.181{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D230C3C0A8CD3FE6B852854648FABED,SHA256=54154FD0B6678161D71C85BDC8D41097ABB5EB7D8B76CA175488A88AB1C74AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058565Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:27.873{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A48F4B7183EBDB7E69E2E9473D909C4,SHA256=36E0049F3D025BC431F051A48E1D2FE171355BE43895EBE7A45416113AFD50D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058564Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:25.720{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54030-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000058563Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:25.720{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54030-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000030143Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:27.353{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09366C6942D98CCFE68363EF816BF087,SHA256=C6462AB8C88374D4035B6F222052BD2B977760AE8DE7A50BC0191753BA73228F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058573Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:26.079{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058572Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058571Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058570Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058569Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058568Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058567Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058566Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:28.045{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66EA-6092-3608-00000000BA01}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030144Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:28.415{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265BFD9A460C47E886F1398F8AC2642B,SHA256=D4E11C58CE254903B7E4C675CCD7243F14B24CD2E9789BB9BD3D6DC55B275391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030145Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:29.431{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E991A1E5945B023E80D3D306D7D735A,SHA256=A43FF4C5704D736A0DFBFBC6441370527AB995588932C2F36497640437DEA57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030147Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:30.447{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4837B0A0C27AA7DB8226599DBC270675,SHA256=77B6D0B3CF2BDF30807462C1B57D3938A655AE2103469ABBFDB43388FEE8DC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030146Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:28.921{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51549-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058574Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:31.873{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030148Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:31.462{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6E1BBD232EFCBEF59D510DF3F81FF8,SHA256=17706EA80B2A0702D48AF8AC5360C0D8CD221FC21C6DF145BB92AFAD4CD0C294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058575Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:31.094{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030149Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:32.478{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55624C4B9AC20C8E2C3CCAC5A792187,SHA256=ED03C5467B4C30F4626BBE5BEB0C46D4058E48A5CB24F29D2259DE4BD1A7701B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058583Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-66EA-6092-3608-00000000BA01}21767452C:\Windows\system32\conhost.exe{B13AE1A5-6AE1-6092-D508-00000000BA01}5460C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058582Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058581Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058580Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058579Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058578Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6AE1-6092-D508-00000000BA01}5460C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058577Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.873{B13AE1A5-66EA-6092-3508-00000000BA01}81205952C:\Windows\system32\cmd.exe{B13AE1A5-6AE1-6092-D508-00000000BA01}5460C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058576Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:33.854{B13AE1A5-6AE1-6092-D508-00000000BA01}5460C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -cC:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000030150Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:33.478{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3715A16B3017EEADBAFCFE9B067740AD,SHA256=9C2233F1E09CFB8064FD7445A48B3F246BA5BDFF9A11861127AC30FA3DE8A294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058601Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE2-6092-D708-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058600Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058599Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058598Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058597Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058596Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AE2-6092-D708-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058595Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.966{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE2-6092-D708-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058594Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.967{B13AE1A5-6AE2-6092-D708-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058593Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.857{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71DBFBAD0AAFF53D17B35DA87CAFCF35,SHA256=2417E549C59A512FCE49D5B7C042EFC59F09D6BCB71ACE5D4F70635267E17C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058592Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.857{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A54B77BFB071BD7E49061EC609386904,SHA256=5A835AEEB93CA3266E0B799E15FF7185DDE26EA8C9F7CB8ECB2208BA0FC37C6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058591Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE2-6092-D608-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058590Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058589Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058588Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058587Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058586Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6AE2-6092-D608-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058585Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE2-6092-D608-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058584Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:34.295{B13AE1A5-6AE2-6092-D608-00000000BA01}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030151Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:34.493{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB244EB41C1754065B15EF9B89A9124,SHA256=865A3F984A7AC105A908F0C53BDF58D6FE5640254BFB2A8941D528EF8BB037B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058610Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.795{B13AE1A5-6AE3-6092-D808-00000000BA01}67247140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058609Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE3-6092-D808-00000000BA01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058608Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058607Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058606Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058605Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058604Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AE3-6092-D808-00000000BA01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058603Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.638{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE3-6092-D808-00000000BA01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058602Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:35.639{B13AE1A5-6AE3-6092-D808-00000000BA01}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030153Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:33.968{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51550-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030152Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:35.493{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1678CD9DD16A73AC710C96D5045E0017,SHA256=6E80833BADC2EE95C872D5921EDFD1DF74EA6B98034CE3A8C54CF235FE3B7B7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058620Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.795{B13AE1A5-6AE4-6092-D908-00000000BA01}71645288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058619Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE4-6092-D908-00000000BA01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058618Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058617Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058616Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058615Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058614Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AE4-6092-D908-00000000BA01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058613Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.638{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE4-6092-D908-00000000BA01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058612Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.639{B13AE1A5-6AE4-6092-D908-00000000BA01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058611Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.076{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71DBFBAD0AAFF53D17B35DA87CAFCF35,SHA256=2417E549C59A512FCE49D5B7C042EFC59F09D6BCB71ACE5D4F70635267E17C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030154Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:36.509{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0640C2D37E87128842B24D0F2D197D76,SHA256=DC3BBBCF5CCF9E8A1FE6CCB5652524C91573FFFB9CB522A1AF27E3A0856C24F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058639Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.951{B13AE1A5-6AE5-6092-DB08-00000000BA01}51605640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058638Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE5-6092-DB08-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058637Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058636Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058635Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058634Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058633Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6AE5-6092-DB08-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058632Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.810{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE5-6092-DB08-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058631Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.811{B13AE1A5-6AE5-6092-DB08-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058630Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.654{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=172F91774A67D59E8CC75D4884AF24AA,SHA256=C3106880D4F7A93D58AB8E255509DFEE96A384896EE02C7AF3F3B128B31DE4CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058629Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.451{B13AE1A5-6AE5-6092-DA08-00000000BA01}68086752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058628Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE5-6092-DA08-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058627Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058626Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058625Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058624Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058623Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AE5-6092-DA08-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058622Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.310{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE5-6092-DA08-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058621Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:37.311{B13AE1A5-6AE5-6092-DA08-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030155Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:37.524{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37341448A415CB84C8BC9A40110F2A9C,SHA256=B32C3B5B8EEEA9BDAB1A17438968BF4A6305FA337011C146F8D0D5CD9519DF81,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000058652Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-05-05 09:52:38.966{B13AE1A5-6AE6-6092-DC08-00000000BA01}6812C:\Program Files\ansible\sysmon\Sysmon64.exeHKU\S-1-5-21-3097214516-93009651-1972489275-500\SOFTWARE\Sysinternals\System Monitor\EulaAcceptedDWORD (0x00000001) 10341000x800000000000000058651Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-66EA-6092-3608-00000000BA01}21767452C:\Windows\system32\conhost.exe{B13AE1A5-6AE6-6092-DC08-00000000BA01}6812C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058650Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058649Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058648Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058647Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058646Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6AE6-6092-DC08-00000000BA01}6812C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058645Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.951{B13AE1A5-66EA-6092-3508-00000000BA01}81205952C:\Windows\system32\cmd.exe{B13AE1A5-6AE6-6092-DC08-00000000BA01}6812C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058644Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.963{B13AE1A5-6AE6-6092-DC08-00000000BA01}6812C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -iC:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{B13AE1A5-66EA-6092-3508-00000000BA01}8120C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000058643Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.826{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=329EF0680B73FB688E7A07DC72B3B551,SHA256=F9546CD7FF8519DCFABAE724C929C7B4B4E3C8650F977AD2504017D242F28F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058642Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.388{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-697D-6092-9B08-00000000BA01}6148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058641Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:38.388{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-697D-6092-9B08-00000000BA01}6148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058640Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:36.110{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030156Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:38.634{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E18E4D9E43DF6762CF9AEC7C5F024EF,SHA256=4EA0BD5CB2635B0D4F6C5729A90DAC9CE1CF7AC11464EC36CFF8611313747183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058661Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.982{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC30D178337BAE0F250ABE0C57D0A81,SHA256=CE1B6DBAE5DB609A3280F6A8FFAA320F7E22C7D98B5FC411D1E7C9449F5C1E75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058660Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6AE7-6092-DD08-00000000BA01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058659Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058658Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058657Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058656Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058655Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6AE7-6092-DD08-00000000BA01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058654Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.888{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6AE7-6092-DD08-00000000BA01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058653Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:39.889{B13AE1A5-6AE7-6092-DD08-00000000BA01}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030157Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:39.681{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7F15B1247A4BEE3A0E1E39AD819F3D,SHA256=6AD6BAC0902D391EB7A74A73449B967A7840F3C9A4AEF8C2BA166CFFFE9A63BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030159Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:39.015{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030158Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:40.774{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059503785CDE946EB52C646D237484E8,SHA256=87C3CF49FFC88C03DCA34BF60EF670D4ECA957B855E0DE98CFDF5308A10D9F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030160Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:41.790{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8C34687224371DF13E2E206C5430E4,SHA256=755C9F60DE10C3DE59AB12B6CF13A2744140067EA6284E79B6BC4550335E464E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030161Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:42.853{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E569D1117900ADCA527FA8BED51B2,SHA256=4118F1C82184E576D1064604A33387A1D1E5A5F7ADADD1A5A37F100ECB4C9AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058669Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058668Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058667Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058666Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058665Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058664Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058663Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:43.248{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000058662Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:41.173{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030162Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:43.884{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D357D7640CFC13F6BBA52A9910B45AD9,SHA256=E06FDA272B0BC4ACFF7237463630A40810FEA862102C8A88A6EF46190FE3DB63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058676Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058675Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058674Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058673Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058672Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058671Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058670Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:44.998{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030163Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:45.024{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBC62FA5787C6254B7F009B0141D47B,SHA256=C85EDB7BF847F897B779DDCEB005F35C1A6C64EDF1910B80CEAA74B6923E235C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030164Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:46.118{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE14DE81C2BE5A9DE93AACA6A486805,SHA256=ABB78147C8628F9022DE1960149748894740ACA7CD590EB6470EE410E254ABBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058677Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:46.172{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030166Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:44.812{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51552-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030165Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:47.134{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C1F0F41A7919BE0A3B802BC860CF22,SHA256=8F34EC5DA1939021BEA95CBBE77DC1288307D5E6AAF4218B17310B8FCF4AF9D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030167Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:48.165{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E69BAFDEF4DE0A9371B89D50CB1673C,SHA256=CE59BE9C44B9DA7E269B51BAE1A47762B427926015BFAF4ED04D7B238701B1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058685Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.795{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058684Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058683Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058682Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058681Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058680Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058679Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058678Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.545{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6A75-6092-CB08-00000000BA01}7392C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030168Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:49.227{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE55EF7852C8C7E5D26D0011858B898A,SHA256=0005AA1551164EA25A9077A2F8146370A24EB5A70D61FD71C0ECA87883D06306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030169Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:50.243{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C595DABE7F86CFB570EFEFEEF93F7115,SHA256=890BB4D8B84CF90BFB6F107F9EAFD39F5CC47227ADC43E921C00357C8148A8C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058686Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:49.750{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000030171Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:49.842{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51553-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030170Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:51.259{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FDC3A8E7A029DF758C18D5829EBF02,SHA256=68FD6C613DBC9557A05AB79BBCA8EE91EA3D8A6657E16474B2B1FF643FFF6890,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058687Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:51.219{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030172Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:52.274{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE2EF93AB43EEA86EF7265A7AF63A99,SHA256=1FDF63169DF3A85E401BAA48CAC276A5B69F06D0985DCC33E18CEAE56FB612C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030173Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:53.305{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75B4A935C3C4CD7F779FF10224D7799,SHA256=A23BDC54C5368559FAE550725CF23CF6299EF4E5BDD448189D692827BDEC784C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030174Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:54.399{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E05641C69F76B5CAA7F299E4BE70500,SHA256=CF96D1410FA810319C7896D0EA736186609C63FE962728D70FD417263DC48A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030175Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:55.399{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0A98175C127C332275B0ECCDA409F7,SHA256=FEF11816FD6B2BEDF42086652B8096807DF9ECA83B0B4898BEFB93A43A3B4115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058688Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:56.592{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B74BE8C43F5068C1F76A62CA185EB3FE,SHA256=D8F1D359F91471603AF60A455A2593B9466CA5B377AC431EF6FD848576935BDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030177Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:54.920{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51554-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030176Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:56.462{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7254A4B9ECAAA59C668FE563BB075F4A,SHA256=9C5526A0661563E7C2C51E168A619FA3A6EC625DA1C6F1DAC8636E689968AAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030178Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:57.508{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482EE4A44429A6D45370F47FF7E19662,SHA256=264929330E3756777896F79B7790F473EF05D9BEC839D810BD25BF6366C35F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058689Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:52:57.016{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030179Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:58.540{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F6952E02211B37C9E7EAEEA8FA3971,SHA256=E34814480F8710B5470EECAAEDD7743DC3D1D9311A4BF0D90FAF2F5AFE7E044A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030180Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:59.586{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475D87F3E876340BE36E6CC2D516FFE9,SHA256=DAADB86941CC2E9C569149AE9569DF5F961D1A844880E25EBE4BEC3545C7DB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030181Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:00.633{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BE515122A20A4382949AB6D6DB959E,SHA256=43BD38593E20A88BF4D1B13DA1672180DECA0415FAEC292838FF41492A448B7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030183Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:52:59.983{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51555-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030182Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:01.774{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22A52973B64CA93AE3B0BF8F9B27F1D,SHA256=B2FA556833C8778AC0348F9E57F100B3C2FFB828485983E579621386DCCAB1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030184Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:02.821{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDA6DF1669E4C023F6A704E3F00744E,SHA256=878E3CA3F9C6176C41FE2011798815294A998431FE08402C86F74555D28E9621,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058690Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:02.047{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030185Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:03.868{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB4DDCDF8083B764A5C38C6FBBD1A66,SHA256=1FF54CB4E54EDA8155DF08DFC2378E231C0D24CB828057951B0290544308E202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030186Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:04.883{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1E871D32F7C26E4DED5CAFE746BF52,SHA256=6B545B799E3F478C19C7A6C9E7A37383518D3569AE38896A223C548BDA2E7395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030187Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:05.961{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDBB5CE6CEC152BF7E360480D9E5554,SHA256=CB48A303912DCD85CE9A5655E081A851C37A1902AF9E6BA06D0E200E53D2374A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030188Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:06.977{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE7297D8B649AD724140806A7899022,SHA256=AF9A1E3C50AA002FF1B43AA9D745643018EAAC3428820E8C362835047D257790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058692Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:07.732{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6339BBB443E1A730F9DE0D36854A811,SHA256=DF8D0C1C8B7EB81781F1E09680EC238E9FFE89664F5D4CEA048D1C0CB78A6676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058691Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:07.732{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF25AC173EACB42B645437242CB156A8,SHA256=0E9ADF010507767F5E59C3060A3EEA1954D006CBE4521F9028AE3AA8BA7911BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030190Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:07.993{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480BD6804DD04A905FE4CDC48EBE9F4B,SHA256=17EBFF1652C90C28149198F7C5446A3228178BE2F2CDCB4551BA2B256982017B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030189Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:05.045{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51556-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030191Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:09.008{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C360C8648952070C2C0D35AD96720586,SHA256=A5E3FE3B862BD3286516A257DE963D213D1DC819CAC941CD3F58AAE32C981D70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058693Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:08.048{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030192Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:10.024{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F11DBD7CFB7108D4DB2E515F3E5ECEC,SHA256=3E324A7565B9A6F72D5004AD19945B3D535FC83544409FE287F15A9EC8831A1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030206Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B07-6092-C304-00000000BC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030205Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030204Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030203Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030202Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030201Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030200Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030199Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030198Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030197Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030196Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B07-6092-C304-00000000BC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030195Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.961{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B07-6092-C304-00000000BC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030194Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.962{04D9AEC0-6B07-6092-C304-00000000BC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030193Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:11.039{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4713495680ADE8157521601D7AEC27A,SHA256=22953161167AF10B69C24326776FF7DF417C48AEA1E80119674DA727D93915CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030222Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.774{04D9AEC0-6B08-6092-C404-00000000BC01}36041492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030221Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B08-6092-C404-00000000BC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030220Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030219Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030218Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030217Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030216Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030215Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030214Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030213Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030212Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030211Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B08-6092-C404-00000000BC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030210Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.633{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B08-6092-C404-00000000BC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030209Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.634{04D9AEC0-6B08-6092-C404-00000000BC01}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030208Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:10.842{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51557-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030207Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:12.071{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF39AD3531BFE3D348FAF2354E6CDC6,SHA256=8BE98732808D201B23870677B9F137E026597CB6DFD622140446988B5ADE3C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030238Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B09-6092-C504-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030237Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030236Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030235Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030234Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030233Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030232Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030231Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030230Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030229Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030228Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B09-6092-C504-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030227Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.227{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B09-6092-C504-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030226Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.229{04D9AEC0-6B09-6092-C504-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030225Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.102{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17DA4FFCB989086D757FBA276244732,SHA256=4352945A3EA3659425DB20C457DEDD1704946BD8835163C0AF56CE48A6C55A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030224Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.008{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B4EEAC3A3AC63B80642ECAC0FCD2A2,SHA256=B62EFB21D52D2A372B89A985D5CEF0169038E02BEC6A47DDDB03B237336FFDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030223Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:13.008{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49922E258BC439BFEC64BA5CF846FD29,SHA256=A10AD5EFAB325D53450D0729B0D75F8F1A6EC0DB9520346D708DDCB7476DC06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030255Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.774{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030254Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.367{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E65C57D294147A8CC4D01D2F7F77EB,SHA256=BCDC664A5539811F34C94F89502EDF668E175C80515DA6169B516C597EAFA42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030253Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.367{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B4EEAC3A3AC63B80642ECAC0FCD2A2,SHA256=B62EFB21D52D2A372B89A985D5CEF0169038E02BEC6A47DDDB03B237336FFDC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030252Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.289{04D9AEC0-6B0A-6092-C604-00000000BC01}4068184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030251Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B0A-6092-C604-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030250Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030249Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030248Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030247Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030246Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030245Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030244Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030243Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030242Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030241Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6B0A-6092-C604-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030240Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.164{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B0A-6092-C604-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030239Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.165{04D9AEC0-6B0A-6092-C604-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000058694Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:14.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030270Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.477{04D9AEC0-6B0B-6092-C704-00000000BC01}32203844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030269Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130349EF96BC6ABC38FEF36EA06B8111,SHA256=FB922F7112286A4FD9F448C74CDBC0C3DD4C785C0703DE9451D9AD091ABE1091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030268Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B0B-6092-C704-00000000BC01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030267Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030266Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030265Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030264Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030263Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030262Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030261Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030260Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030259Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030258Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B0B-6092-C704-00000000BC01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030257Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.336{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B0B-6092-C704-00000000BC01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030256Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.337{04D9AEC0-6B0B-6092-C704-00000000BC01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058701Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058700Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058699Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058698Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058697Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058696Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058695Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:16.560{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030300Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.789{04D9AEC0-6B0C-6092-C904-00000000BC01}29644064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030299Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:14.545{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51558-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000030298Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B0C-6092-C904-00000000BC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030297Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030296Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030295Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030294Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030293Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030292Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030291Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030290Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030289Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030288Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6B0C-6092-C904-00000000BC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030287Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B0C-6092-C904-00000000BC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030286Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.651{04D9AEC0-6B0C-6092-C904-00000000BC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030285Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54B386C63F5B61ABF56CC9DF78B5E16,SHA256=253E2288536656B99D0429C7EF92C59638FD7EF79C0181ED90B9E7CAF219C378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030284Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.649{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E14B28E999D54B196BE62664C032EEA,SHA256=F740704D87D9E25330BCB283AD1D96995E061FE3CD150CE9AE590663F7DA9405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030283Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B0C-6092-C804-00000000BC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030282Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030281Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030280Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030279Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030278Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030277Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030276Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030275Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030274Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030273Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B0C-6092-C804-00000000BC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030272Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.008{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B0C-6092-C804-00000000BC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030271Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:16.009{04D9AEC0-6B0C-6092-C804-00000000BC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030303Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:15.888{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51559-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030302Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:17.805{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2A5D44C9AF21F5613AC437BD3A87451,SHA256=5CA07705C311D9865B51A2F367694433BBAA3E2F6BE05418F76104F7C10D017C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030301Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:17.664{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43761449C01E69AB0F6F45CD2602E79F,SHA256=75F1466943A366B6AB7E69934E31B6D91DFAAC8AD04D87A4FD185F7DF93264E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058732Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.482{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6B0E-6092-DE08-00000000BA01}5484C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058731Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.482{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6B0E-6092-DE08-00000000BA01}5484C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058730Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.467{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-6B0E-6092-DE08-00000000BA01}5484C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058729Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.467{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B0E-6092-DE08-00000000BA01}5484C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058728Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.467{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B0E-6092-DE08-00000000BA01}5484C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058727Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.467{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-6B0E-6092-DE08-00000000BA01}5484C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058726Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.451{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843712C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058725Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.451{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843712C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058724Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.451{B13AE1A5-4D0F-6092-F804-00000000BA01}44087096C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058723Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.451{B13AE1A5-4D0F-6092-F804-00000000BA01}44087096C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058722Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843712C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000058721Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843712C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000058720Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058719Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0E-6092-ED04-00000000BA01}46843548C:\Windows\System32\RuntimeBroker.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000058718Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0F-6092-F804-00000000BA01}44086688C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058717Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0F-6092-F804-00000000BA01}44086688C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058716Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058715Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058714Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058713Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.420{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058712Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058711Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058710Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058709Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058708Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058707Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058706Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058705Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058704Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058703Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44086600C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058702Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:18.404{B13AE1A5-4D0F-6092-F804-00000000BA01}44086600C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030304Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:18.695{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED860A78E184F3923F80F6362B87A367,SHA256=4BD0A1E89346699D2F30D6A63A5DB6E714E3BB8D3F069E2D654657ECE1F96FA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058749Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058748Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44084476C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058747Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058746Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44086884C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058745Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44086884C:\Windows\Explorer.EXE{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058744Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44087108C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058743Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44087108C:\Windows\Explorer.EXE{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058742Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058741Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058740Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058739Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.607{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058738Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.592{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058737Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.592{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058736Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.592{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058735Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.592{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058734Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.482{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AEF52914429D2A50D70F50A7C24A7B5,SHA256=5642810A8A0A131BAA35E9F340FB058B019F35B32EDF4FEF5771393AB3FC7DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058733Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:19.482{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6339BBB443E1A730F9DE0D36854A811,SHA256=DF8D0C1C8B7EB81781F1E09680EC238E9FFE89664F5D4CEA048D1C0CB78A6676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030305Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:19.852{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8A16D8AC9DC70A6CF925A62941EE28,SHA256=3DA7F85E58AD642A53FA27E33974DBB909EDD5F73EC09A89377D27BAEEE67682,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058751Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:20.217{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.bat2021-05-05 09:44:36.559 23542300x800000000000000058750Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:20.217{B13AE1A5-66F5-6092-3908-00000000BA01}6208ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.batMD5=C4AC8D93F33F50CF2828A076AA2A8DA1,SHA256=9D44DA5F3F51C9E276BFBD9C43D8D722ECBCB7ED5B5A2526FF09DEFC773461D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030306Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:20.883{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A568F96CD94EF0751BEF7475BBB0D9F,SHA256=C6EEE6BA86A560B445EF37428369269F62C0A401DE8D1F6A9862184687F3B364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030307Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:21.992{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2936C8DBE3A62BB55674565760D6F0,SHA256=133A9480CB7C891D3850F656358BFC07A98E0753200DEAD4AC1AB2122C908397,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058752Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:20.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058756Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058755Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058754Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058753Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6087608C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000030308Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:23.023{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9463BFF5936F2EF6FB765BF00847CC,SHA256=3022FF8FCBEBC1BF1E1C791FDE5C21DDD50629016682C28EEDD51F271A8C3F49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058765Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.951{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058764Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.951{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058763Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058762Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058761Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.951{B13AE1A5-4719-6092-0C00-00000000BA01}6083332C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058760Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.951{B13AE1A5-4D0E-6092-EE04-00000000BA01}8167232C:\Windows\system32\sihost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058759Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058758Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000058757Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:24.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x800000000000000030310Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:21.920{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51560-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030309Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:24.055{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2739DB2B09DABEAC4108AD2AE105DAD8,SHA256=B0329485B1C0A0FD920EA5FCA79A9BB7E0B2F9C3E1222F53DE09C979FC0E81F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030312Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:25.992{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AECC1DE71FE9072CED759345D5811F8B,SHA256=F598EB3C75679A19164D20080A11780EEBEAB1685E72380048A485F66C5090E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030311Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:25.133{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B47CDDB486BAFBA08265044CE165907,SHA256=DA06951F783FB7CFDBD667C7F91EDF39714FE5017F5102AB82E6D46E4560B66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058768Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:26.779{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D698D7D5534069E4EA24968242826A4,SHA256=DB9602E99D891DDD78F749227FE38F3AA761E86120F618EAF5D763275A900E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058767Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:26.779{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AEF52914429D2A50D70F50A7C24A7B5,SHA256=5642810A8A0A131BAA35E9F340FB058B019F35B32EDF4FEF5771393AB3FC7DA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058766Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:25.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030313Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:26.258{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B3CE203901A477B2976CEF6881442,SHA256=D1E4BA9E50802186F5D219B0C5F184A021E149D427D63EA40DDD7CBD818FE229,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058770Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:25.734{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54044-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000058769Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:25.734{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54044-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000030314Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:27.289{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A09227B031609FECF5BF4620DFAB6F7,SHA256=D0E8B2D06793A3C5C10F655AEDCCEE36C6E8AD68420BD93AB602AE69CEF8B338,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030316Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:26.998{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51561-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030315Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:28.305{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE182133FB1AC01825DD2237054EADF4,SHA256=EB8689753124DDD0F80695B4B0D4B8077C442BF2A0AC84D181083C98622D8F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030317Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:29.320{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D13A2F5F0FF709F62A7656D0122B22B,SHA256=9450F64DF8F6B52B60489929A3EFA58309AE7B14B8567078FC81F2854DB1A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030318Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:30.320{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5360AF876433A0F4BCBA63C93900AFB4,SHA256=B59E1BD42BE16EDE99E485DB7E142976D56085AC274B6C4A5E74BC7B7EA29E24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058771Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:30.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030319Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:31.336{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC6A7CEB9957FCD2DCB7D7C451E080E,SHA256=2741C110AB686DF2E54D90CCF87B3485C870056C54DB712A563A6999AAD66FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030320Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:32.351{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8235A872B044552CE0BE23D6B5C15D3,SHA256=02844ACF7D028AE7B978101C1BE8BA6CC00910BA8936ABA2E688D68682375798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030321Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:33.367{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC424CB07C2300BCEFFBE27D3C0E777,SHA256=01F2E60819931380BB5035AA81EE2513726FB2C2C276D6DF3556116F13005BD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058787Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B1E-6092-E008-00000000BA01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058786Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058785Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058784Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058783Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058782Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B1E-6092-E008-00000000BA01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058781Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.982{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B1E-6092-E008-00000000BA01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058780Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.983{B13AE1A5-6B1E-6092-E008-00000000BA01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058779Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B1E-6092-DF08-00000000BA01}7364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058778Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058777Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058776Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058775Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058774Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B1E-6092-DF08-00000000BA01}7364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058773Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.310{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B1E-6092-DF08-00000000BA01}7364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058772Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:34.311{B13AE1A5-6B1E-6092-DF08-00000000BA01}7364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030322Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:34.383{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D27167CD5F7148FD0824CCFBFDBB7F,SHA256=D99E55E9FAE1638C95DFF63F35C06C4C4CEEACF9B83508E04C1A588EC98DA8F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058798Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.810{B13AE1A5-6B1F-6092-E108-00000000BA01}54207632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058797Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B1F-6092-E108-00000000BA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058796Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058795Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058794Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058793Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058792Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B1F-6092-E108-00000000BA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058791Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.654{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B1F-6092-E108-00000000BA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058790Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.655{B13AE1A5-6B1F-6092-E108-00000000BA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058789Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.357{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=951F364EF9AD66EF77A52FD0D39E9B95,SHA256=2F16C77454D50FAC4E8E1928BB063F44BDEB972E9236B501BA6DAB10FACC97DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058788Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.357{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D698D7D5534069E4EA24968242826A4,SHA256=DB9602E99D891DDD78F749227FE38F3AA761E86120F618EAF5D763275A900E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030324Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:35.398{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDF53F87B6AC6F090CEFE98DA4B9343,SHA256=23A1E4842159FAB4D7AE64ED14D3A29A260F94A7C8F3190304A7177439A3F173,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030323Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:32.857{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51562-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058809Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.779{B13AE1A5-6B20-6092-E208-00000000BA01}54007072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058808Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.670{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=951F364EF9AD66EF77A52FD0D39E9B95,SHA256=2F16C77454D50FAC4E8E1928BB063F44BDEB972E9236B501BA6DAB10FACC97DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058807Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B20-6092-E208-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058806Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058805Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058804Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058803Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058802Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B20-6092-E208-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058801Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B20-6092-E208-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058800Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:36.639{B13AE1A5-6B20-6092-E208-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000058799Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:35.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030325Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:36.414{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C356BB52C843CDFE71A9F389CB77759B,SHA256=72141A759382B38758A6F12F58960CF57A0B0E1AB723F507146B3B4156E55CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058826Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B21-6092-E408-00000000BA01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058825Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058824Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058823Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058822Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058821Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B21-6092-E408-00000000BA01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058820Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.982{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B21-6092-E408-00000000BA01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058819Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.983{B13AE1A5-6B21-6092-E408-00000000BA01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058818Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.467{B13AE1A5-6B21-6092-E308-00000000BA01}76363728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058817Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B21-6092-E308-00000000BA01}7636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058816Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058815Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058814Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058813Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058812Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B21-6092-E308-00000000BA01}7636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058811Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.310{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B21-6092-E308-00000000BA01}7636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058810Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:37.311{B13AE1A5-6B21-6092-E308-00000000BA01}7636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030326Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:37.492{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E8786CE4D3570FE5EC2164CD12DECC,SHA256=51595E1AFB24B56F23A55FE4D124A56A5918061247C1C070C1B1550FECC82D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058828Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:38.435{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760ADFE3EFAF12BA54D13770AEF91D90,SHA256=E168727F14EBB33D5F461F97F544342E169E30225CA417038443214517E810C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058827Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:38.123{B13AE1A5-6B21-6092-E408-00000000BA01}63525804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030327Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:38.508{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79F72B81A81D473ACDCF9FA699B1A81,SHA256=E7BCC7813F5C35044E37875C520D30CF15C0791AA247EFA803C6C33988020DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058836Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-47B2-6092-B000-00000000BA01}45563700C:\Windows\system32\conhost.exe{B13AE1A5-6B23-6092-E508-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058835Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058834Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058833Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058832Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058831Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B23-6092-E508-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058830Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-47B2-6092-AC00-00000000BA01}41844392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B23-6092-E508-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058829Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:39.889{B13AE1A5-6B23-6092-E508-00000000BA01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030328Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:39.586{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECF6A482D55CCCB6F4E1A2C3294F134,SHA256=E4EF099AA4F1337B5F23764CB995AFD578E616A7C26C5A65ED48C89BFDE7143A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058837Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:40.904{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3372EE33F2D26570A8D746E794A26D1B,SHA256=C82B624EDEAF58563058536E3F752B4000F8AB09BA911B3B660FB549BDEE50E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030330Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:40.695{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0E7E615DBA989EFA3EDF07C2CFE874,SHA256=E702F54B3FBCCCAD1BBBA63A905F1EF458169605E73E704868A62475408F9499,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030329Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:37.919{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51563-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030331Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:41.742{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BE977FE30B74D1003F8AD293980252,SHA256=4E0AEFFDA5697D61C0FC83832C5EDADCF7E59BA9ED0D21E4EF3F42FA81F24DCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058838Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:41.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030332Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:42.773{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6653A5F2DB0B000E678F01DDED2AC7D,SHA256=1662BC50D45B58F99E9CF5A631568A112DB62131D21CCF5716188191AB2F0744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030333Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:43.867{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D017846D6FC0E10A80A4BE1E1163B1D6,SHA256=6C5B5859DF7063022F452944D8F0F86411591C206C9FB36AEA6D4A91AD90472E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030334Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:44.914{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF00158FF4D8346301535619E3AC92F,SHA256=9733787406522BD9133051ECDA313588FC1BC561D76B79825985EDB9E14655B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030336Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:45.929{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CB925E8DEA5615C4EDE28F11E4A7B8,SHA256=1F567E516D021D05966C84D6590A5B88BB612C3DCE18F9F51D071C5037632703,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030335Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:43.966{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51564-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030337Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:46.960{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303EBFC300EDF3F6745E1CD8FF06FB32,SHA256=D4F4429F9084DDFEEA65E4E8D414661145BEA1A07F7921DDD68BD7E739BDB56D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058839Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:46.234{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030338Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:48.039{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C6FE5F6824FB90E6F84FD7008D31B8,SHA256=23A19281517116D3747F9E0447FA527B13199B87E0DBD082F695FA7C68A16E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058840Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:49.826{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030339Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:49.117{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6387CF28BD2665A8B7BC476BFFD9A,SHA256=412A6186CE9A30F26AE7167D40DA763680E26EE4E833278DE24090D7B92345F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030341Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:48.981{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51565-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030340Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:50.133{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB667074FDA5084ADE37AB94E466199,SHA256=B5AAD840909013888B22F1E06C3967A9EE13C1CF1B9CF8B3E61E9F7FB14C6DB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058841Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:49.780{B13AE1A5-47B2-6092-AC00-00000000BA01}4184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030342Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:51.195{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CEB2FA18C0A8CFA90D412EC06CE271,SHA256=053FAD6E665A7CA9C3EB4ACFE6387A9979E4AA2859DA07BF3F91528EA05BBE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030343Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:52.210{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFEF06620BE7C9E02F34062962B1C21,SHA256=EB64A94E08C3513A5920875F77DFE6A8E8CC1A86BDBB6F388A590F4EB8A616AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058849Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:52.015{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058848Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058847Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058846Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058845Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058844Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058843Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058842Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:53.670{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030344Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:53.413{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908472969CDE1E9F9A9C62432C7851DC,SHA256=4A5034C2C9976AED878C56F42588BA545A67202E52F5DBCB39D70E53CABFC73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030345Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:54.460{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D972AFFA1C2AB6D987AA05F861C2CD,SHA256=50ACFD61EB531DCD10C71B98C26D8E85F215AC9C9D45FEC5D13D3B14B1E0C488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030346Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:55.663{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B425A489AEE8B5BFD4885C029F2CDD7,SHA256=F836E68E92D3898774DFC370D0336988A7421C797E737820A18692A81754DFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058850Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:56.607{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=649B3BDE93F65CE28DF199D5E25416A9,SHA256=36E955BCBB21C87E9219B28096DC4F38EEED897BE4C2ACE720E63D563E96D45F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030348Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:55.012{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030347Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:56.679{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1291D285F2A8945FFE9A81C66C3BAC,SHA256=17EE11E5B46402C8F73CB3279D2BFF5BEEB80A7CBA6F0C80E6D9043EC57DED3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058857Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058856Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058855Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44087524C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058854Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058853Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058852Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058851Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:57.639{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030349Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:57.710{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7663AEED35D52A0A3FD94C3216FA59,SHA256=7359735CDC6EDC2C2CC8C86A1DABB1ABB79D79ADA8548649E854E45F66D3ABD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030350Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:58.851{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA52B9CE694F7A31A3FE26172382622E,SHA256=3A4631047E8F7CBD18A3B748C231078762DCAFA1E4A01FCB79106DEB33D4D2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030351Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:53:59.929{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35844D3A965CFAF80B6F24CAF53E031B,SHA256=6123CB5509724890E9102B65BB2B75498E020420B5161D240FD95195B6A00520,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058858Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:53:58.030{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030352Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:01.038{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E119E84A3AF1E735B1917C88BB1871,SHA256=020F3D81EAADE730F11EB75EDAFE725B193C5D56096103FFD0FB76F9EDD7410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030354Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:02.054{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A7099BC5A6C6D283DF5E89826DD31F,SHA256=0AD4AABD7CF5DC5B79316C3B3BE63C27C5B7F6357FB59EE86A5E9D3682CD18B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030353Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:00.028{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030355Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:03.101{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B466979609262287C3FE5BE03FA4A643,SHA256=9F8688019090928FBAAC0004D87064D3FBBDF0EF5DDE1E9EA08B88C092000CDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058859Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:03.046{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030356Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:04.148{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AE67308E9A1DF15A6C382ADD563C39,SHA256=7900C76E7B6B8A246E8F35A2FC0E430DECBFDBC15671C4C4208CC29323E56593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030357Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:05.241{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84E5CE938861479BB2D39E3223C5C96,SHA256=3AD52208961D58260DFD89424DA4B7199DFC36F5B46F83AFF1EB468C1AFF5B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030358Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:06.319{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6C70AD1A3AEF5836B3A78FAEAB1EE9,SHA256=F5707AD60449437B4E1A93904A3C4270E8C997AEDB731F06494105FDF1D1D683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030360Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:07.398{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5972CC26FC51D76895DF0DC5EC72E03A,SHA256=A8FDF99000D3703206009EE84320C1465C22E429C84C2084B19BC55571FAD3B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030359Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:05.825{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030361Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:08.413{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1203AEFA0733BABE40517BFE1086E857,SHA256=02C80CB718011B145F3CFA97C83291211FCE90289AAF13F13EA27D4A7118EC9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058860Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:08.062{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030362Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:09.538{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37837B4F7249052A0B33A1F146F8FA2A,SHA256=6DD143E9032E3F317EFBB006BA3A5531794A4D5521ACA20B8805B66344B67DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030363Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:10.585{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55F4A4E27A9368B0442CAEA5C23CC96,SHA256=2D4172737E6C0B1BA3C23CD8AE4EF68803DC7B9A332AA74823368A36CA36D1CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030377Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B43-6092-CA04-00000000BC01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030376Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030375Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030374Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030373Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030372Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030371Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030370Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030369Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030368Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030367Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B43-6092-CA04-00000000BC01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030366Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.882{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B43-6092-CA04-00000000BC01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030365Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.883{04D9AEC0-6B43-6092-CA04-00000000BC01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030364Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:11.601{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C158543F5C6D94FC0FC745E9E06574C6,SHA256=742EA018C9932AE8D40768ACB77BAB42B1D6E5D9CCF18EAE90EDA7BE3681C894,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030392Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:10.887{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030391Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B44-6092-CB04-00000000BC01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030390Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030389Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030388Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030387Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030386Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030385Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030384Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030383Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030382Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030381Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6B44-6092-CB04-00000000BC01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030380Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B44-6092-CB04-00000000BC01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030379Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.554{04D9AEC0-6B44-6092-CB04-00000000BC01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030378Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:12.022{04D9AEC0-6B43-6092-CA04-00000000BC01}31242588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030409Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.757{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3291B0A700BA843F8BC3A13E9D5237A,SHA256=5A1C2A599F26A0D458613706718D641EB7FF38257FA2E7F24D46EE861917578D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030408Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B45-6092-CC04-00000000BC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030407Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030406Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030405Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030404Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030403Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030402Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030401Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030400Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030399Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030398Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6B45-6092-CC04-00000000BC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030397Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B45-6092-CC04-00000000BC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030396Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.226{04D9AEC0-6B45-6092-CC04-00000000BC01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030395Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.022{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6585D12DC0B652B9BF391E2570CA69F,SHA256=1971B743676B3A6247FD935C108C858D9B3A33EF427DBE3EE6EAB577EA0D448E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030394Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.022{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8286D578B24F24A27706F015223DF54B,SHA256=E573EDCA357706E4A9A59B70D141DDFFB5E631DEC55C93446014DE812B7966BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030393Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:13.022{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B167BCE24EB7758F80F04D5AE6AEDB2,SHA256=F123139D9A491307A59849E56765813B7E953166352C78D660F450196195B77B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058861Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:13.077{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030426Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.804{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70415F6B1F1D60F3667CF95CA7E560C,SHA256=A34FFC5032078C5C7DB8C2C5874DA8C04E9FF8E47552225BD81D63BF22CA282E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030425Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.804{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030424Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.288{04D9AEC0-6B46-6092-CD04-00000000BC01}11483468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030423Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.288{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6585D12DC0B652B9BF391E2570CA69F,SHA256=1971B743676B3A6247FD935C108C858D9B3A33EF427DBE3EE6EAB577EA0D448E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030422Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B46-6092-CD04-00000000BC01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030421Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030420Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030419Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030418Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030417Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030416Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030415Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030414Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030413Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030412Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B46-6092-CD04-00000000BC01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030411Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.163{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B46-6092-CD04-00000000BC01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030410Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.164{04D9AEC0-6B46-6092-CD04-00000000BC01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030441Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.835{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960D553A65DADD122EE46BE554BD08F1,SHA256=E1C286FCBA2E9FCF2A827EF36F5570AE234202F5578FCDEF975FED88FED4727C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030440Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.475{04D9AEC0-6B47-6092-CE04-00000000BC01}36523076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030439Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B47-6092-CE04-00000000BC01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030438Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030437Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030436Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030435Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030434Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030433Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030432Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030431Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030430Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030429Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B47-6092-CE04-00000000BC01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030428Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.335{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B47-6092-CE04-00000000BC01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030427Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:15.336{04D9AEC0-6B47-6092-CE04-00000000BC01}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030470Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:14.575{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000030469Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B48-6092-D004-00000000BC01}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030468Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030467Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030466Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030465Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030464Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030463Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030462Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030461Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030460Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030459Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B48-6092-D004-00000000BC01}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030458Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B48-6092-D004-00000000BC01}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030457Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.679{04D9AEC0-6B48-6092-D004-00000000BC01}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030456Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.382{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592D93FDD51C923B51505BF144574D12,SHA256=EB73A54E90CCA275068F6AAB4AC824DA49B2B57A7C0DD0AA57031B2A85033264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030455Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.132{04D9AEC0-6B48-6092-CF04-00000000BC01}22923544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030454Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B48-6092-CF04-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030453Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030452Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030451Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030450Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030449Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030448Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030447Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030446Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030445Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030444Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B48-6092-CF04-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030443Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B48-6092-CF04-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030442Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.007{04D9AEC0-6B48-6092-CF04-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030472Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:17.694{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=358A18A124A2962F0B97FEC570354D54,SHA256=68B68C9C6042790EF8883C03760CC3274EE20BE9D8C932CB4B1E985413BA1944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030471Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:17.054{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9445DF5CF7B27E6F3843129E1E34424,SHA256=BDFF53308EE64DD25518483C407D2A4206BBE1A20B9D6C0D323F31E71162BC1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030474Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:16.934{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030473Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:18.069{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013286CD210C3ADCF6D26182AE4A0393,SHA256=48F2934A8D85D53622E4D79E6857BB515B26EF861A05AD1833940869D9EA4107,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058868Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44084792C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058867Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44084792C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058866Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44084792C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058865Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058864Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058863Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058862Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.295{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6ADA-6092-D408-00000000BA01}4200C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030475Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:19.147{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C83FCCD0A1DF4E8A8ACE5B45B1F450,SHA256=BD90199AC6765451B840EFEE23B9F19A7E0315001220886190C3CEDE26F9FAD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058869Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:19.046{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030476Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:20.304{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BC30333F9F0CD88220BA4F914674C2,SHA256=16B8F34A6944053EEAA0645A8944D7F62B2F499D53F8C703DE0EF2A0D62B0CBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058871Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:21.701{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-697D-6092-9B08-00000000BA01}6148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058870Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:21.701{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030477Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:21.335{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D02E308DF736E71F741A5CCC50878,SHA256=668CE446BD9DDB374C293B73CDEE9D247B7407BFD2E511C9DA4DAAECC5FD56D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030478Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:22.366{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2F593454CBA40CDE17CF218D37736,SHA256=FD1F9AA9D4227796B438D364C01AEE6C621152EB9D8702A09A8BC8DF2B63D43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058896Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.951{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B4F-6092-E808-00000000BA01}3816C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058895Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058894Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058893Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058892Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B4F-6092-E808-00000000BA01}3816C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058891Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058890Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-6B4F-6092-E708-00000000BA01}69085840C:\Windows\system32\cmd.exe{B13AE1A5-6B4F-6092-E808-00000000BA01}3816C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058889Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.949{B13AE1A5-6B4F-6092-E808-00000000BA01}3816C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B4F-6092-E708-00000000BA01}6908C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x800000000000000058888Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B4F-6092-E708-00000000BA01}6908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058887Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058886Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058885Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058884Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058883Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B4F-6092-E708-00000000BA01}6908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058882Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.935{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B4F-6092-E708-00000000BA01}6908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058881Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.942{B13AE1A5-6B4F-6092-E708-00000000BA01}6908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000058880Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.920{B13AE1A5-471A-6092-1400-00000000BA01}13327644C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058879Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.920{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058878Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058877Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058876Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058875Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085456C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058874Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.904{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058873Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.904{B13AE1A5-6ADA-6092-D308-00000000BA01}72167212C:\Windows\system32\cmd.exe{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058872Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.914{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exesplunk restartC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{B13AE1A5-6ADA-6092-D308-00000000BA01}7216C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\SplunkUniversalForwarder\bin" 23542300x800000000000000030479Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:23.460{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEE9BA92BBEE95B849575AB623F444,SHA256=6A80D58D07FA8A25DE814EB4500DB47475725E68BDBE9BF46B3661E10053BD55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058954Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B50-6092-EF08-00000000BA01}1420C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058953Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058952Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058951Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058950Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B50-6092-EF08-00000000BA01}1420C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058949Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058948Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.935{B13AE1A5-6B50-6092-EE08-00000000BA01}43365540C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B50-6092-EF08-00000000BA01}1420C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058947Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.939{B13AE1A5-6B50-6092-EF08-00000000BA01}1420C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B50-6092-EE08-00000000BA01}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x800000000000000058946Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B50-6092-EE08-00000000BA01}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058945Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058944Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058943Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058942Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058941Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B50-6092-EE08-00000000BA01}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058940Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-6B50-6092-ED08-00000000BA01}52005088C:\Windows\system32\cmd.exe{B13AE1A5-6B50-6092-EE08-00000000BA01}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058939Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.932{B13AE1A5-6B50-6092-EE08-00000000BA01}4336C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B50-6092-ED08-00000000BA01}5200C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x800000000000000058938Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B50-6092-ED08-00000000BA01}5200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058937Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058936Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058935Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058934Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058933Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B50-6092-ED08-00000000BA01}5200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058932Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B50-6092-ED08-00000000BA01}5200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058931Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.927{B13AE1A5-6B50-6092-ED08-00000000BA01}5200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 23542300x800000000000000058930Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10BDD3BF9D68BFE3D0B1BD76FB7CEAAC,SHA256=5FCC37EDF613E375771D147558E4D613DA22A5479287C0638D96C23EB92B3548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058929Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.920{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04DF63D6C4C1DFD2C8C8CC02EE063FA7,SHA256=689630DB0CED5291DA9838A6200B41BE79D8DA59C562B0B77EADCC04CDB327D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058928Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B50-6092-EC08-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058927Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058926Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058925Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B50-6092-EC08-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058924Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058923Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058922Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-6B50-6092-EB08-00000000BA01}65043752C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B50-6092-EC08-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058921Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.646{B13AE1A5-6B50-6092-EC08-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B50-6092-EB08-00000000BA01}6504C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x800000000000000058920Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B50-6092-EB08-00000000BA01}6504C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058919Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058918Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058917Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058916Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058915Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B50-6092-EB08-00000000BA01}6504C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058914Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-6B50-6092-EA08-00000000BA01}40123120C:\Windows\system32\cmd.exe{B13AE1A5-6B50-6092-EB08-00000000BA01}6504C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058913Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.639{B13AE1A5-6B50-6092-EB08-00000000BA01}6504C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B50-6092-EA08-00000000BA01}4012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x800000000000000058912Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B50-6092-EA08-00000000BA01}4012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058911Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058910Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058909Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058908Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058907Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B50-6092-EA08-00000000BA01}4012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058906Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.623{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B50-6092-EA08-00000000BA01}4012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058905Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.633{B13AE1A5-6B50-6092-EA08-00000000BA01}4012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000058904Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.357{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B4F-6092-E908-00000000BA01}7868C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058903Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058902Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058901Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058900Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.342{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B4F-6092-E908-00000000BA01}7868C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058899Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058898Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.342{B13AE1A5-6B4F-6092-E808-00000000BA01}38166356C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B4F-6092-E908-00000000BA01}7868C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058897Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:23.957{B13AE1A5-6B4F-6092-E908-00000000BA01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B4F-6092-E808-00000000BA01}3816C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 23542300x800000000000000030480Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:24.538{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E55499665166B1A179BF330034BEFC8,SHA256=E72434F061735631E8A131E6F30CB0B7B13458D1CCB969CA7047DEDC77EB1F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058989Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.935{B13AE1A5-47BF-6092-E300-00000000BA01}3216NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10BDD3BF9D68BFE3D0B1BD76FB7CEAAC,SHA256=5FCC37EDF613E375771D147558E4D613DA22A5479287C0638D96C23EB92B3548,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058988Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:24.108{B13AE1A5-47B9-6092-DA00-00000000BA01}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058987Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058986Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058985Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058984Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058983Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058982Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058981Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058980Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058979Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058978Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058977Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058976Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058975Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058974Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058973Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058972Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058971Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058970Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058969Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058968Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058967Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058966Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058965Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058964Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058963Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058962Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058961Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058960Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058959Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058958Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058957Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058956Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058955Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.451{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030482Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:25.569{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB2177DA1452CB9B3EECB7C4A9B93F2,SHA256=B79338EBA3F42359C17F138EEA2B2CA73416BB268CB87A5A448E62376B6E76E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030481Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:22.965{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058992Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:26.060{B13AE1A5-47B2-6092-AC00-00000000BA01}4184NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\conf-mutator.pidMD5=17A990425E40EA9939D408082CF07348,SHA256=EE59F764DDCE08C863BED58043E53DAC052D449BBCDBBEE49781049E140B0B12,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000058991Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.localT1031,T1050SetValue2021-05-05 09:54:26.014{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000004) 13241300x800000000000000058990Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:26.014{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\DeleteFlagDWORD (0x00000001) 23542300x800000000000000030484Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:26.600{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029A26F94B45233FA732CC08CBD6D676,SHA256=84BCCB21E6E3BCA80ABEC0CA67A19263DA36EBE793A234E696DDFEF21E107DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030483Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:26.006{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D994234E25E612255CB1CEED07D33628,SHA256=D8373274051E17FF7044562A04DAC5CB23BA1ECADBB7EFF2C798FB36BA8A3BD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059074Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F908-00000000BA01}7800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059073Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059072Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059071Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059070Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059069Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F908-00000000BA01}7800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059068Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.889{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B53-6092-F908-00000000BA01}7800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059067Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.898{B13AE1A5-6B53-6092-F908-00000000BA01}7800C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000059066Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.623{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F808-00000000BA01}3972C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059065Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059064Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059063Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F808-00000000BA01}3972C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059062Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059061Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059060Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-6B53-6092-F708-00000000BA01}31723192C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B53-6092-F808-00000000BA01}3972C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059059Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.620{B13AE1A5-6B53-6092-F808-00000000BA01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B53-6092-F708-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServerListener: --no-log 10341000x800000000000000059058Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F708-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059057Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059056Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059055Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059054Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059053Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F708-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059052Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-6B53-6092-F608-00000000BA01}14247516C:\Windows\system32\cmd.exe{B13AE1A5-6B53-6092-F708-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059051Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.613{B13AE1A5-6B53-6092-F708-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B53-6092-F608-00000000BA01}1424C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-log 10341000x800000000000000059050Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F608-00000000BA01}1424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059049Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059048Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059047Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059046Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059045Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F608-00000000BA01}1424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059044Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.607{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B53-6092-F608-00000000BA01}1424C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13ac4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12176|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059043Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.608{B13AE1A5-6B53-6092-F608-00000000BA01}1424C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000059042Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F508-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059041Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059040Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059039Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059038Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F508-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059037Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059036Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-6B53-6092-F408-00000000BA01}52046548C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B53-6092-F508-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059035Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.334{B13AE1A5-6B53-6092-F508-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B53-6092-F408-00000000BA01}5204C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x800000000000000059034Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F408-00000000BA01}5204C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059033Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059032Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059031Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059030Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F408-00000000BA01}5204C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059029Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059028Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.326{B13AE1A5-6B53-6092-F308-00000000BA01}70445524C:\Windows\system32\cmd.exe{B13AE1A5-6B53-6092-F408-00000000BA01}5204C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059027Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.328{B13AE1A5-6B53-6092-F408-00000000BA01}5204C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B53-6092-F308-00000000BA01}7044C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x800000000000000059026Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F308-00000000BA01}7044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059025Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059024Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059023Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059022Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059021Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F308-00000000BA01}7044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059020Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.310{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B53-6092-F308-00000000BA01}7044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1893f|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+17106|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1385a|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12176|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059019Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.322{B13AE1A5-6B53-6092-F308-00000000BA01}7044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000059018Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F208-00000000BA01}2872C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059017Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059016Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059015Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059014Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F208-00000000BA01}2872C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059013Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059012Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.045{B13AE1A5-6B53-6092-F108-00000000BA01}56847480C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B53-6092-F208-00000000BA01}2872C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059011Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.048{B13AE1A5-6B53-6092-F208-00000000BA01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B53-6092-F108-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServer --no-log 10341000x800000000000000059010Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F108-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059009Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059008Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059007Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059006Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059005Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F108-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059004Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-6B53-6092-F008-00000000BA01}54167808C:\Windows\system32\cmd.exe{B13AE1A5-6B53-6092-F108-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059003Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.041{B13AE1A5-6B53-6092-F108-00000000BA01}5684C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B53-6092-F008-00000000BA01}5416C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-log 10341000x800000000000000059002Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B53-6092-F008-00000000BA01}5416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059001Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059000Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058999Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058998Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058997Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B53-6092-F008-00000000BA01}5416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058996Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B53-6092-F008-00000000BA01}5416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+17249|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+137ff|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12176|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058995Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.034{B13AE1A5-6B53-6092-F008-00000000BA01}5416C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000058994Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058993Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:27.029{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030485Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:27.647{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C68AC38BA3A2C2005350646A03B558A,SHA256=8A0B4AFBA008E16433F74A163C573068996DB0B407C895EDE86C41BB4AD44547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059117Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B54-6092-FE08-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059116Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059115Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059114Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B54-6092-FE08-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059113Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059112Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059111Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-6B54-6092-FD08-00000000BA01}79882320C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B54-6092-FE08-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059110Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.804{B13AE1A5-6B54-6092-FE08-00000000BA01}6152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B54-6092-FD08-00000000BA01}7988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x800000000000000059109Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B54-6092-FD08-00000000BA01}7988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059108Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059107Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059106Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059105Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059104Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B54-6092-FD08-00000000BA01}7988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059103Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.795{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B54-6092-FD08-00000000BA01}7988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059102Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.797{B13AE1A5-6B54-6092-FD08-00000000BA01}7988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000059101Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B54-6092-FC08-00000000BA01}6380C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059100Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059099Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059098Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B54-6092-FC08-00000000BA01}6380C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059097Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059096Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059095Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.467{B13AE1A5-6B54-6092-FB08-00000000BA01}69005900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B54-6092-FC08-00000000BA01}6380C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059094Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.469{B13AE1A5-6B54-6092-FC08-00000000BA01}6380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B54-6092-FB08-00000000BA01}6900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x800000000000000059093Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B54-6092-FB08-00000000BA01}6900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059092Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059091Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059090Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059089Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059088Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B54-6092-FB08-00000000BA01}6900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059087Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.451{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B54-6092-FB08-00000000BA01}6900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059086Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.462{B13AE1A5-6B54-6092-FB08-00000000BA01}6900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000059085Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-6B54-6092-FA08-00000000BA01}5252C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000059084Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.749{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54057-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000059083Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:25.749{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54057-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 10341000x800000000000000059082Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B54-6092-FA08-00000000BA01}5252C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059081Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059080Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059079Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059078Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059077Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B54-6092-FA08-00000000BA01}5252C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059076Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.170{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B54-6092-FA08-00000000BA01}5252C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059075Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:28.171{B13AE1A5-6B54-6092-FA08-00000000BA01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 23542300x800000000000000030486Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:28.725{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8064B64E2515443033CB22927DC6CFD8,SHA256=D486E682B76B01290B4F08A930B3D64900D322BB0B4D76561A68D2ABB17D1C49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059167Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.748{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B55-6092-0409-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059166Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059165Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059164Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B55-6092-0409-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059163Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059162Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059161Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-6B55-6092-0309-00000000BA01}31888060C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B55-6092-0409-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059160Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.745{B13AE1A5-6B55-6092-0409-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B55-6092-0309-00000000BA01}3188C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x800000000000000059159Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B55-6092-0309-00000000BA01}3188C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059158Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059157Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059156Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059155Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059154Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B55-6092-0309-00000000BA01}3188C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059153Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-6B55-6092-0209-00000000BA01}60842548C:\Windows\system32\cmd.exe{B13AE1A5-6B55-6092-0309-00000000BA01}3188C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059152Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.738{B13AE1A5-6B55-6092-0309-00000000BA01}3188C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B55-6092-0209-00000000BA01}6084C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x800000000000000059151Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B55-6092-0209-00000000BA01}6084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059150Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059149Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059148Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059147Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059146Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.717{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B55-6092-0209-00000000BA01}6084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059145Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.717{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B55-6092-0209-00000000BA01}6084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059144Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.732{B13AE1A5-6B55-6092-0209-00000000BA01}6084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 23542300x800000000000000059143Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.654{B13AE1A5-6B55-6092-0109-00000000BA01}8096ATTACKRANGE\AdministratorC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=F99EB99B42B449211242458F3B62155C,SHA256=73D73616DE79DFE89F120499205D49EBFEB2B330472F2CE8305F12FC4438142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059142Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-6B55-6092-0109-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059141Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B55-6092-0109-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059140Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059139Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059138Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059137Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059136Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B55-6092-0109-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059135Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.389{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B55-6092-0109-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059134Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.393{B13AE1A5-6B55-6092-0109-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 10341000x800000000000000059133Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B55-6092-0009-00000000BA01}5596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059132Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059131Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059130Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059129Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B55-6092-0009-00000000BA01}5596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059128Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059127Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-6B55-6092-FF08-00000000BA01}55644528C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B55-6092-0009-00000000BA01}5596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059126Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.099{B13AE1A5-6B55-6092-0009-00000000BA01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B55-6092-FF08-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x800000000000000059125Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B55-6092-FF08-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059124Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059123Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059122Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059121Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059120Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6B55-6092-FF08-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059119Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B55-6092-FF08-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059118Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:29.092{B13AE1A5-6B55-6092-FF08-00000000BA01}5564C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 23542300x800000000000000030487Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:29.803{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B91BF36548F3E65F94A82066A2288C5,SHA256=01042B8103061B0A73C7E4F8C49A7675200494EF2A7BC566D3C499580BDD2377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059283Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.935{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-1409-00000000BA01}5468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059282Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059281Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059280Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.935{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059279Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059278Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-1409-00000000BA01}5468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059277Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-6B56-6092-1309-00000000BA01}50165040C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B56-6092-1409-00000000BA01}5468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059276Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.935{B13AE1A5-6B56-6092-1409-00000000BA01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B56-6092-1309-00000000BA01}5016C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x800000000000000059275Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-1309-00000000BA01}5016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059274Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059273Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059272Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059271Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059270Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-1309-00000000BA01}5016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059269Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-6B56-6092-1209-00000000BA01}53485668C:\Windows\system32\cmd.exe{B13AE1A5-6B56-6092-1309-00000000BA01}5016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059268Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.928{B13AE1A5-6B56-6092-1309-00000000BA01}5016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B56-6092-1209-00000000BA01}5348C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x800000000000000059267Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-1209-00000000BA01}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059266Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059265Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059264Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059263Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059262Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-1209-00000000BA01}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059261Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.920{B13AE1A5-6B56-6092-0E09-00000000BA01}7180464C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B56-6092-1209-00000000BA01}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059260Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.922{B13AE1A5-6B56-6092-1209-00000000BA01}5348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x800000000000000059259Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.889{B13AE1A5-6B56-6092-1109-00000000BA01}79444752C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059258Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-1109-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059257Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059256Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059255Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059254Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-1109-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059253Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059252Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.639{B13AE1A5-6B56-6092-1009-00000000BA01}65123900C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B56-6092-1109-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059251Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.642{B13AE1A5-6B56-6092-1109-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B56-6092-1009-00000000BA01}6512C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x800000000000000059250Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-1009-00000000BA01}6512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059249Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059248Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059247Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059246Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059245Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-1009-00000000BA01}6512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059244Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-6B56-6092-0F09-00000000BA01}59767836C:\Windows\system32\cmd.exe{B13AE1A5-6B56-6092-1009-00000000BA01}6512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059243Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.635{B13AE1A5-6B56-6092-1009-00000000BA01}6512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B56-6092-0F09-00000000BA01}5976C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x800000000000000059242Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0F09-00000000BA01}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059241Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059240Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059239Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059238Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059237Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0F09-00000000BA01}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059236Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.623{B13AE1A5-6B56-6092-0E09-00000000BA01}7180464C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B56-6092-0F09-00000000BA01}5976C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059235Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.630{B13AE1A5-6B56-6092-0F09-00000000BA01}5976C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x800000000000000059234Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059233Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059232Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059231Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059230Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059229Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059228Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-6B56-6092-0D09-00000000BA01}11082508C:\Windows\system32\cmd.exe{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059227Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.617{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{B13AE1A5-6B56-6092-0D09-00000000BA01}1108C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x800000000000000059226Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0D09-00000000BA01}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059225Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059224Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059223Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059222Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059221Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0D09-00000000BA01}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059220Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.607{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B56-6092-0D09-00000000BA01}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059219Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.612{B13AE1A5-6B56-6092-0D09-00000000BA01}1108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059218Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.592{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059217Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.592{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0C09-00000000BA01}5808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059216Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.592{B13AE1A5-4718-6092-0A00-00000000BA01}8528148C:\Windows\system32\services.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059215Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-6B56-6092-0A09-00000000BA01}54887764C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0B09-00000000BA01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059214Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059213Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059212Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059211Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0B09-00000000BA01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059210Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059209Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.576{B13AE1A5-6B56-6092-0909-00000000BA01}78526360C:\Windows\system32\cmd.exe{B13AE1A5-6B56-6092-0B09-00000000BA01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059208Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.580{B13AE1A5-6B56-6092-0B09-00000000BA01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{B13AE1A5-6B56-6092-0909-00000000BA01}7852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x800000000000000059207Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.560{B13AE1A5-6B56-6092-0A09-00000000BA01}54887764C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0909-00000000BA01}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059206Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.560{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0A09-00000000BA01}5488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059205Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.545{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059204Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.545{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059203Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.545{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059202Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.545{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059201Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.545{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0909-00000000BA01}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059200Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.545{B13AE1A5-6B56-6092-0809-00000000BA01}27764984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B56-6092-0909-00000000BA01}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059199Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.558{B13AE1A5-6B56-6092-0909-00000000BA01}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059198Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059197Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059196Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059195Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059194Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.295{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059193Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.295{B13AE1A5-4718-6092-0A00-00000000BA01}8522972C:\Windows\system32\services.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059192Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.309{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000059191Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0709-00000000BA01}1396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059190Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059189Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059188Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059187Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0709-00000000BA01}1396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059186Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059185Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-6B56-6092-0609-00000000BA01}76163156C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B56-6092-0709-00000000BA01}1396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059184Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.037{B13AE1A5-6B56-6092-0709-00000000BA01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B56-6092-0609-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x800000000000000059183Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0609-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059182Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059181Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059180Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059179Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0609-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059178Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059177Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.029{B13AE1A5-6B56-6092-0509-00000000BA01}80246896C:\Windows\system32\cmd.exe{B13AE1A5-6B56-6092-0609-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059176Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.030{B13AE1A5-6B56-6092-0609-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B56-6092-0509-00000000BA01}8024C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x800000000000000059175Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-6ADA-6092-D408-00000000BA01}42007704C:\Windows\system32\conhost.exe{B13AE1A5-6B56-6092-0509-00000000BA01}8024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059174Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059173Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059172Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059171Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059170Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6B56-6092-0509-00000000BA01}8024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059169Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.014{B13AE1A5-6B4F-6092-E608-00000000BA01}81285748C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B56-6092-0509-00000000BA01}8024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+12221|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+19082|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d94e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059168Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:30.024{B13AE1A5-6B56-6092-0509-00000000BA01}8024C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B4F-6092-E608-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk restart 23542300x800000000000000030489Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:30.819{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7348CEF5C2BAB596FE076B17ACD0D3,SHA256=4244A196D601F3F34379025B9EBEAEE5A7B829BC4CE4C1085E3D62F9E909C457,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030488Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:28.027{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000059343Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.810{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1B09-00000000BA01}1440C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059342Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059341Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059340Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059339Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059338Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.795{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1B09-00000000BA01}1440C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059337Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.795{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B57-6092-1B09-00000000BA01}1440C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059336Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.808{B13AE1A5-6B57-6092-1B09-00000000BA01}1440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x800000000000000059335Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.779{B13AE1A5-6B57-6092-1A09-00000000BA01}39126036C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059334Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1A09-00000000BA01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059333Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059332Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059331Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059330Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059329Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1A09-00000000BA01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059328Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B57-6092-1A09-00000000BA01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059327Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.539{B13AE1A5-6B57-6092-1A09-00000000BA01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x800000000000000059326Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.529{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059325Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059324Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059323Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059322Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059321Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059320Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-6B57-6092-1809-00000000BA01}67884912C:\Windows\system32\cmd.exe{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059319Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.527{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{B13AE1A5-6B57-6092-1809-00000000BA01}6788C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x800000000000000059318Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1809-00000000BA01}6788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059317Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059316Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059315Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059314Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059313Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1809-00000000BA01}6788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059312Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.514{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B57-6092-1809-00000000BA01}6788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059311Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.521{B13AE1A5-6B57-6092-1809-00000000BA01}6788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059310Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059309Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.467{B13AE1A5-6B57-6092-1709-00000000BA01}79686320C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059308Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1709-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059307Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059306Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059305Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059304Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1709-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059303Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059302Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-6B57-6092-1609-00000000BA01}1087744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B57-6092-1709-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059301Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.222{B13AE1A5-6B57-6092-1709-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B57-6092-1609-00000000BA01}108C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x800000000000000059300Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.217{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1609-00000000BA01}108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059299Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059298Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059297Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059296Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059295Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1609-00000000BA01}108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059294Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-6B57-6092-1509-00000000BA01}49806268C:\Windows\system32\cmd.exe{B13AE1A5-6B57-6092-1609-00000000BA01}108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059293Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.215{B13AE1A5-6B57-6092-1609-00000000BA01}108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B57-6092-1509-00000000BA01}4980C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x800000000000000059292Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B57-6092-1509-00000000BA01}4980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059291Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059290Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059289Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059288Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059287Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B57-6092-1509-00000000BA01}4980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059286Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.201{B13AE1A5-6B56-6092-0E09-00000000BA01}7180464C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B57-6092-1509-00000000BA01}4980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059285Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.209{B13AE1A5-6B57-6092-1509-00000000BA01}4980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0E09-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x800000000000000059284Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:31.170{B13AE1A5-6B56-6092-1409-00000000BA01}54684960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030490Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:31.834{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF98D7585C69930CB828D1D21C78965,SHA256=1A1DD2DB1DE82D7D383000CA9E561DC8ECDC31F541D572D454017F867C2B26AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059396Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.967{B13AE1A5-6B58-6092-2109-00000000BA01}71482720C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059395Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B58-6092-2109-00000000BA01}7148C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059394Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059393Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059392Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B58-6092-2109-00000000BA01}7148C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059391Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059390Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059389Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-6B58-6092-2009-00000000BA01}44324496C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B58-6092-2109-00000000BA01}7148C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059388Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.724{B13AE1A5-6B58-6092-2109-00000000BA01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B58-6092-2009-00000000BA01}4432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x800000000000000059387Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B58-6092-2009-00000000BA01}4432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059386Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059385Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059384Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059383Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059382Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B58-6092-2009-00000000BA01}4432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059381Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B58-6092-2009-00000000BA01}4432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059380Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.717{B13AE1A5-6B58-6092-2009-00000000BA01}4432C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x800000000000000059379Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.670{B13AE1A5-6B58-6092-1F09-00000000BA01}41045672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059378Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B58-6092-1F09-00000000BA01}4104C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059377Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059376Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059375Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059374Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059373Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B58-6092-1F09-00000000BA01}4104C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059372Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-6B58-6092-1E09-00000000BA01}59284452C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B58-6092-1F09-00000000BA01}4104C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059371Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.432{B13AE1A5-6B58-6092-1F09-00000000BA01}4104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B58-6092-1E09-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x800000000000000059370Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B58-6092-1E09-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059369Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059368Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059367Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059366Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059365Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B58-6092-1E09-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059364Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.420{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B58-6092-1E09-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059363Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.425{B13AE1A5-6B58-6092-1E09-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x800000000000000059362Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.342{B13AE1A5-6B58-6092-1D09-00000000BA01}35083776C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059361Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B58-6092-1D09-00000000BA01}3508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059360Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059359Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059358Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059357Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B58-6092-1D09-00000000BA01}3508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059356Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059355Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-6B58-6092-1C09-00000000BA01}76205948C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B58-6092-1D09-00000000BA01}3508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059354Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.097{B13AE1A5-6B58-6092-1D09-00000000BA01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B58-6092-1C09-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x800000000000000059353Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.092{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B58-6092-1C09-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059352Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.076{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059351Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.076{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059350Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.076{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059349Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.076{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059348Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.076{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B58-6092-1C09-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059347Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.076{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B58-6092-1C09-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059346Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.091{B13AE1A5-6B58-6092-1C09-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x800000000000000059345Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.045{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-6B57-6092-1B09-00000000BA01}1440C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059344Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:32.045{B13AE1A5-6B57-6092-1B09-00000000BA01}14403828C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030491Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:32.866{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AB213DC93FB4F6AB31F353C9DBF376,SHA256=FD34B0975C73683C3CF1E730F3872FFD4ED6B09B6B28B96258A613AA540FC63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059475Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.951{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=F99EB99B42B449211242458F3B62155C,SHA256=73D73616DE79DFE89F120499205D49EBFEB2B330472F2CE8305F12FC4438142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059474Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2A09-00000000BA01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059473Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059472Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059471Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059470Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059469Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2A09-00000000BA01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059468Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.920{B13AE1A5-6B59-6092-2909-00000000BA01}55562340C:\Windows\system32\cmd.exe{B13AE1A5-6B59-6092-2A09-00000000BA01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059467Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.921{B13AE1A5-6B59-6092-2A09-00000000BA01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{B13AE1A5-6B59-6092-2909-00000000BA01}5556C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x800000000000000059466Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2909-00000000BA01}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059465Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059464Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059463Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059462Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059461Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2909-00000000BA01}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059460Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B59-6092-2909-00000000BA01}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059459Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.915{B13AE1A5-6B59-6092-2909-00000000BA01}5556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059458Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.904{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=52414E13BC571139A78F09588A1364A4,SHA256=3C1F79227940F5C563684E97F96860594D7E76089653064CB910620CB735929B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059457Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.873{B13AE1A5-6B59-6092-2809-00000000BA01}68005764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059456Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2809-00000000BA01}6800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059455Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059454Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059453Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059452Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2809-00000000BA01}6800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059451Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059450Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.639{B13AE1A5-6B59-6092-2709-00000000BA01}51285256C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B59-6092-2809-00000000BA01}6800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059449Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.638{B13AE1A5-6B59-6092-2809-00000000BA01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B59-6092-2709-00000000BA01}5128C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x800000000000000059448Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2709-00000000BA01}5128C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059447Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059446Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059445Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059444Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059443Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2709-00000000BA01}5128C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059442Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-6B59-6092-2609-00000000BA01}24167520C:\Windows\system32\cmd.exe{B13AE1A5-6B59-6092-2709-00000000BA01}5128C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059441Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.632{B13AE1A5-6B59-6092-2709-00000000BA01}5128C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B59-6092-2609-00000000BA01}2416C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x800000000000000059440Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2609-00000000BA01}2416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059439Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059438Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059437Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059436Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059435Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2609-00000000BA01}2416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059434Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.623{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B59-6092-2609-00000000BA01}2416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059433Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.626{B13AE1A5-6B59-6092-2609-00000000BA01}2416C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x800000000000000059432Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.592{B13AE1A5-6B59-6092-2509-00000000BA01}24446160C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059431Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2509-00000000BA01}2444C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059430Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059429Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059428Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059427Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2509-00000000BA01}2444C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059426Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059425Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-6B59-6092-2409-00000000BA01}43001340C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{B13AE1A5-6B59-6092-2509-00000000BA01}2444C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059424Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.354{B13AE1A5-6B59-6092-2509-00000000BA01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B59-6092-2409-00000000BA01}4300C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x800000000000000059423Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2409-00000000BA01}4300C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059422Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059421Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059420Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059419Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059418Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2409-00000000BA01}4300C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059417Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-6B59-6092-2309-00000000BA01}59082880C:\Windows\system32\cmd.exe{B13AE1A5-6B59-6092-2409-00000000BA01}4300C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059416Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.347{B13AE1A5-6B59-6092-2409-00000000BA01}4300C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{B13AE1A5-6B59-6092-2309-00000000BA01}5908C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x800000000000000059415Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2309-00000000BA01}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059414Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059413Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.342{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059412Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059411Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.326{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059410Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.326{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2309-00000000BA01}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059409Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.326{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B59-6092-2309-00000000BA01}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059408Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.341{B13AE1A5-6B59-6092-2309-00000000BA01}5908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x800000000000000059407Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.279{B13AE1A5-6B59-6092-2209-00000000BA01}5380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=F99EB99B42B449211242458F3B62155C,SHA256=73D73616DE79DFE89F120499205D49EBFEB2B330472F2CE8305F12FC4438142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059406Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.264{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-6B59-6092-2209-00000000BA01}5380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059405Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.248{B13AE1A5-6B59-6092-2209-00000000BA01}53801432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059404Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B59-6092-2209-00000000BA01}5380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059403Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059402Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059401Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059400Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059399Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B59-6092-2209-00000000BA01}5380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059398Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.014{B13AE1A5-6B57-6092-1909-00000000BA01}44041820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{B13AE1A5-6B59-6092-2209-00000000BA01}5380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059397Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:33.015{B13AE1A5-6B59-6092-2209-00000000BA01}5380C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{B13AE1A5-6B57-6092-1909-00000000BA01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x800000000000000030492Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:33.913{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6126BE4CF97EE4E5D66AAE8F99B80815,SHA256=920F936AD4A340FDAD4741BC8CBEDB373C0ABAAF6A194C9D718AFE723ADA664A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059539Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-3209-00000000BA01}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059538Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059537Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059536Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059535Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059534Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-3209-00000000BA01}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059533Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.920{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-3209-00000000BA01}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059532Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.922{B13AE1A5-6B5A-6092-3209-00000000BA01}3860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059531Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-3109-00000000BA01}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059530Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059529Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059528Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059527Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059526Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-3109-00000000BA01}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059525Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.810{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-3109-00000000BA01}2704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059524Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.812{B13AE1A5-6B5A-6092-3109-00000000BA01}2704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059523Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-3009-00000000BA01}6112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059522Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059521Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059520Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059519Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059518Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-3009-00000000BA01}6112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059517Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.701{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-3009-00000000BA01}6112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059516Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.703{B13AE1A5-6B5A-6092-3009-00000000BA01}6112C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059515Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-2F09-00000000BA01}6240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059514Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059513Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059512Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059511Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059510Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-2F09-00000000BA01}6240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059509Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.592{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-2F09-00000000BA01}6240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059508Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.594{B13AE1A5-6B5A-6092-2F09-00000000BA01}6240C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059507Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-2E09-00000000BA01}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059506Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059505Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059504Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059503Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059502Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-2E09-00000000BA01}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059501Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.482{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-2E09-00000000BA01}6072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059500Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.484{B13AE1A5-6B5A-6092-2E09-00000000BA01}6072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059499Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-2D09-00000000BA01}7560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059498Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059497Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059496Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059495Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059494Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-2D09-00000000BA01}7560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059493Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.373{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-2D09-00000000BA01}7560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059492Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.376{B13AE1A5-6B5A-6092-2D09-00000000BA01}7560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059491Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-2C09-00000000BA01}5652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059490Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059489Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059488Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059487Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059486Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-2C09-00000000BA01}5652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059485Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.264{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-2C09-00000000BA01}5652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059484Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.265{B13AE1A5-6B5A-6092-2C09-00000000BA01}5652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059483Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5A-6092-2B09-00000000BA01}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059482Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059481Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059480Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059479Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059478Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B5A-6092-2B09-00000000BA01}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059477Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.139{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5A-6092-2B09-00000000BA01}4248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059476Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:34.151{B13AE1A5-6B5A-6092-2B09-00000000BA01}4248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030493Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:34.944{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AA91479E5BAAAC9392E3A29A2FB3D1,SHA256=092C3709A5B6650F73486247E33AF877FA152B1014D6F32547E700CCD41FF028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059563Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5B-6092-3509-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059562Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059561Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059560Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059559Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059558Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B5B-6092-3509-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059557Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.779{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5B-6092-3509-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059556Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.250{B13AE1A5-6B5B-6092-3509-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059555Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5B-6092-3409-00000000BA01}3088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059554Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059553Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059552Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059551Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059550Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B5B-6092-3409-00000000BA01}3088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059549Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.139{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5B-6092-3409-00000000BA01}3088C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059548Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.140{B13AE1A5-6B5B-6092-3409-00000000BA01}3088C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059547Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5B-6092-3309-00000000BA01}2664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059546Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059545Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059544Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059543Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059542Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B5B-6092-3309-00000000BA01}2664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059541Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.029{B13AE1A5-6B56-6092-0809-00000000BA01}27765020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5B-6092-3309-00000000BA01}2664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059540Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:35.031{B13AE1A5-6B5B-6092-3309-00000000BA01}2664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030495Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:35.975{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94D4575F6260106C82159A7805728C0,SHA256=1140BD1CD55136D4CF4EFF6B3689D9A9A830FAB2F767DD1EE65BB57920CB1FCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030494Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:33.840{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51574-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000059571Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059570Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059569Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059568Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059567Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059566Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059565Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.795{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059564Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.796{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030496Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:37.022{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA92A556967780A2137FBC1323E6931,SHA256=44E97C690BAA285B05AF44FDBE44CBC7D48BFD8EDD6A4B1D8F5CC82D30B15D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059592Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:37.252{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal9997- 10341000x800000000000000059591Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.623{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-6B5E-6092-3709-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059590Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5E-6092-3709-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059589Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059588Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059587Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059586Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059585Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B5E-6092-3709-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059584Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.607{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5E-6092-3709-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059583Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.468{B13AE1A5-6B5E-6092-3709-00000000BA01}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x800000000000000059582Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.529C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 10341000x800000000000000059581Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.529{B13AE1A5-6B5D-6092-3609-00000000BA01}22045148C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+2016cb|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6e213|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059580Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:38.529{B13AE1A5-4716-6092-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 13241300x800000000000000059579Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:38.529{B13AE1A5-4716-6092-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x800000000000000059578Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:38.529{B13AE1A5-4716-6092-0100-00000000BA01}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 13241300x800000000000000059577Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:38.529{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\DisplayNamenpf 13241300x800000000000000059576Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.localT1031,T1050SetValue2021-05-05 09:54:38.529{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ImagePath\??\C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys 13241300x800000000000000059575Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:38.529{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ErrorControlDWORD (0x00000001) 13241300x800000000000000059574Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.localT1031,T1050SetValue2021-05-05 09:54:38.529{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000003) 13241300x800000000000000059573Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:54:38.529{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\TypeDWORD (0x00000001) 12241200x800000000000000059572Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-DeleteKey2021-05-05 09:54:38.529{B13AE1A5-4718-6092-0A00-00000000BA01}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf 23542300x800000000000000030497Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:38.037{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7339030E3EA264171A2094F9497B230,SHA256=E3BF404231D7D52530884070197F0A7BFDFCC38FE9618BA22EA683C8FBEF2080,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059609Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.508{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000059608Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5F-6092-3909-00000000BA01}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059607Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059606Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059605Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059604Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059603Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B5F-6092-3909-00000000BA01}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059602Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.951{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5F-6092-3909-00000000BA01}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059601Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.952{B13AE1A5-6B5F-6092-3909-00000000BA01}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059600Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B5F-6092-3809-00000000BA01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059599Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059598Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059597Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059596Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059595Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B5F-6092-3809-00000000BA01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059594Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.279{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B5F-6092-3809-00000000BA01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059593Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.280{B13AE1A5-6B5F-6092-3809-00000000BA01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030498Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:39.069{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95D336484EF6415689D3BCBBCA74CEF,SHA256=67B5E48D97CBAC6AA6E89D100CC699320AF868A6193042AA5FE0D9F1321EE795,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000059619Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.509{B13AE1A5-6B5D-6092-3609-00000000BA01}2204win-dc-7630fe80::b974:a305:c345:f12f;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x800000000000000059618Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B60-6092-3A09-00000000BA01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059617Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059616Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059615Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059614Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059613Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B60-6092-3A09-00000000BA01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059612Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.482{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B60-6092-3A09-00000000BA01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059611Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.483{B13AE1A5-6B60-6092-3A09-00000000BA01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059610Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.092{B13AE1A5-6B5F-6092-3909-00000000BA01}73367580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030500Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:38.855{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030499Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:40.100{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FFB80D2AB5B0832CD1BBF30E8EF4E3,SHA256=17CE606EDCFA9B8B55423FBC8ACF3F2F4E5739C0E1997E85251C8EE8AFB3171E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059639Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B61-6092-3C09-00000000BA01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059638Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059637Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059636Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059635Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059634Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B61-6092-3C09-00000000BA01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059633Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B61-6092-3C09-00000000BA01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059632Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.967{B13AE1A5-6B61-6092-3C09-00000000BA01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x800000000000000059631Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:40.326{B13AE1A5-6B5D-6092-3609-00000000BA01}2204win-dc-763.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x800000000000000059630Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B61-6092-3B09-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059629Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059628Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059627Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059626Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059625Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B61-6092-3B09-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059624Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.295{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B61-6092-3B09-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059623Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:41.155{B13AE1A5-6B61-6092-3B09-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000059622Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.658{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000059621Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:39.261{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000059620Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:38.877{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030501Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:41.194{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EE6418C0989793F729155090C1CF75,SHA256=297A065A618C1DCD62C2347760FA5BD540E82DA76AC9F7D698317D4031492338,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059649Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.779{B13AE1A5-6B62-6092-3D09-00000000BA01}73727700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059648Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B62-6092-3D09-00000000BA01}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059647Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059646Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059645Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059644Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059643Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B62-6092-3D09-00000000BA01}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059642Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B62-6092-3D09-00000000BA01}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059641Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.639{B13AE1A5-6B62-6092-3D09-00000000BA01}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059640Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:42.107{B13AE1A5-6B61-6092-3C09-00000000BA01}76246572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030502Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:42.241{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12945868CC12A19C5142CA5271310F0,SHA256=CD82B35D0D664717EAB77C9BD7714A0425269333466DA9E720F69F4237B187EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059658Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.467{B13AE1A5-6B63-6092-3E09-00000000BA01}79767420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059657Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B63-6092-3E09-00000000BA01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059656Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059655Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059654Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059653Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059652Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B63-6092-3E09-00000000BA01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059651Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.310{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B63-6092-3E09-00000000BA01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059650Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.311{B13AE1A5-6B63-6092-3E09-00000000BA01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030503Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:43.334{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F371D68E0ECC86DEE1EBD9BE398C5B,SHA256=7DC39B3F90384D9C462EDFADDC1434521929E09942B344F730EFF5B1EE6A2FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059680Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B64-6092-4009-00000000BA01}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059679Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059678Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059677Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059676Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059675Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B64-6092-4009-00000000BA01}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059674Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.795{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B64-6092-4009-00000000BA01}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059673Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.796{B13AE1A5-6B64-6092-4009-00000000BA01}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059672Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.373{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=066A0F466DA87DCCA405A20AB45EBDC9,SHA256=5A07F690F9D1AF1B188AC2D677EB4FA674CB685EB32C6A5AC16AAB2ADCBB2E07,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000059671Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.310{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000059670Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.295{B13AE1A5-4718-6092-0B00-00000000BA01}8604416C:\Windows\system32\lsass.exe{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059669Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.295{B13AE1A5-4718-6092-0B00-00000000BA01}8604416C:\Windows\system32\lsass.exe{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000059668Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.295{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DF0F056C1009BC82FA85318F2565E4B7,SHA256=69D65E3F5A3AF950B4BC82713886C0C66E845A34C0A3C92A9A3CEA98292284EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059667Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.279{B13AE1A5-6B63-6092-3F09-00000000BA01}41486172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059666Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059665Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059664Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059663Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059662Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059661Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059660Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.123{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059659Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:43.983{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030504Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:44.350{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D63944179AB59CB9F894D01914953C,SHA256=CF6E6C85658B2965B3045CA12072885CFD1BDE816AFA0C14FD34905C1186CC0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030506Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:43.949{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51576-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030505Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:45.397{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A52FBAE401E677031F3A78957CFDCF2,SHA256=5330772BF0C86E1EF6E431424A86D86ABD1198A23E11F5E7B6C733C4AC461112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059687Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:46.576{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FAFFA767B8C86E5AC797C698DFE0ADD,SHA256=C0B3BEF718E57CF450B988F36A7111E461F80C4248B859B94EFA378082844076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059686Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.276{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54065-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local49666- 354300x800000000000000059685Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.276{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54065-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local49666- 354300x800000000000000059684Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.270{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54064-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000059683Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.270{B13AE1A5-6B63-6092-3F09-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54064-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000059682Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.202{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 22542200x800000000000000059681Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:44.283{B13AE1A5-6B63-6092-3F09-00000000BA01}4148win-dc-763.attackrange.local0fe80::b974:a305:c345:f12f;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 23542300x800000000000000030507Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:46.412{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B925C0605B5A5DFF2EFADC1E5EF75FDD,SHA256=9412D9922FE66D9ECAB6CC32388D89B877044ACA49AA0D0BD314E3A302DEAA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059688Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:46.184{B13AE1A5-471A-6092-0F00-00000000BA01}1140C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse51.161.104.168ip168.ip-51-161-104.net56636-false10.0.1.14win-dc-763.attackrange.local3389ms-wbt-server 23542300x800000000000000030508Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:47.428{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97197F98BD890A49AA437B65FE5DD0EC,SHA256=46083BB3B56ACD541750066ED2960F68B5F08C189EC7D1E5367FE9389EF519A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059690Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:46.314{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53263- 354300x800000000000000059689Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:46.312{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local52839- 23542300x800000000000000030509Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:48.444{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8CA50D47E75D18638E50D66248B00C,SHA256=F6E986F80DB0B90EAAFBC2BBE36FF99E033624D1DE053D05AB4AB71119A53A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030510Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:49.459{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338A95475A2767486933E7196963FA9C,SHA256=395DCEFA6EEF0896CBC324008137E4F4394C0050275FB4C58955F5938B2FC47D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030512Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:48.996{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51577-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030511Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:50.475{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1770CC3EA01952FDAAF0575DC83166B,SHA256=FF6F250F623C883D8461215A48299243BBB676E6C9075F41578B29A70595AC0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059691Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:49.983{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030513Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:51.537{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1D08E7A7F3349A0E6D4F7DFAF74141,SHA256=6C9758118B83963006E12E731DA6338FA5DC43D9034C88847DCCD0B1E5C1DE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059693Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:52.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E86BACD3C6FFDA28217DFFA2B92FED0,SHA256=853322386E9DB182074DC26E88160EB2080E7A99CF187433C4AA563B49ABDFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059692Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:52.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9F9B69511993717061DD1B92EF6E70A,SHA256=901C6A2AE4C2516D27466ABA8AC9EB7A708F05F4CF9189F40DCD2C73A51BA778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030514Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:52.568{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DA96406A6A0DFD1249CAFCDEC1AEDA,SHA256=FAD81E34D10AED466DAC96D2555CBBA05F41131B66C769336C16F9D75BD543F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030515Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:53.600{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C735E732062CBCCF8BEE34A54BF04122,SHA256=85F49311053F1828489F518AC4A57B532AA9B537A4E7EF6481A47598CE289EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059694Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:54.357{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B251DF6B54933BA07BA567B74658DC,SHA256=E10A24091EA22D572842DBD1AB57D6C75073ED3DEBCC4D4EB9F4D260A1C17C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030516Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:54.615{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E072C6541637C49AFE65E0896A7ACAF,SHA256=7352C549BEE1CFDA6BD451534089A93D2C856F76249D5F2FEE9220B0745CD7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030517Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:55.646{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC00723285BCE01095E178328EA94EF,SHA256=AFE6753F5A07EC13402B3B37F8BF2ECCB2E9162A523B26BC8B11B3A466283254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059696Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:54.998{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059695Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:54:56.623{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AB7359E6FBEEFC0EB295CB8E984F5F2B,SHA256=0BF80384B0D048D953ED8A8723CE64E1633ADF1132DDB2D4608A7D9188CA2FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030518Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:56.725{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01774B4154BE56E2156D16AF7F949DC0,SHA256=8B4FC10F59EDD98C50972A8ECD8034911EC72C8D030BB0A1856EC2032EC6CD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030520Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:57.771{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9980D22A89A0D725140CCC8391AC243,SHA256=C28C6D6F71FC3CEBDC667F65C97076A45C446BB0CF51C28ECA42A4B83E3D6234,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030519Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:55.011{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51578-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030521Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:58.803{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F868F1A6710066E5F48AAB895DB15D8,SHA256=9B03C03EA029F3B58A04280D6B6C8EDFEFFC2547BE9012175CAA43B141368295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030522Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:54:59.849{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5ED5CA35E629B5C7C3A4B36E390B920,SHA256=9E366D7D074A401DD2C67D8E262CE2EA3EB125FCB7748E8B2456FB3569B4986F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059699Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:00.295{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDADFAEA05F77529A699C18A066532D4,SHA256=F593EAEBEF3FE486977A95CDD0335A0FEA6C20DBB10E8AD2905F43B4B96177EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059698Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:00.295{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF075A9B02E5CEF11AD1D497210DCEB8,SHA256=9159B51BE93632AE41E93C6E08C0CF32170A062BE4BA71882760796E3FB317D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059697Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:00.295{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE63089FC8B7D10D292B9047F07E0741,SHA256=30E4F41A0393005483A1CA093EF25F8D02B0170DE2927248BF981FACDDF3C6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030523Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:00.865{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53C01C2D594B1B3E6B842CFB08A1412,SHA256=9D10B2296B4CB6D3B249B90908554C21ABC0D026647A23F9491E1F45E75077B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059701Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:00.014{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059700Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:01.310{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62094889C2E0842A4DDC6ED41EA6422D,SHA256=9F589F56EA00B64B7B3E0E6D8C95B2868CD86CE0BDC25FA95BB01754813D8D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030524Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:01.912{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDEFFC80A73869ED04A0A1FF36CF0D3,SHA256=824B95B51850583B8897268A02FC6C933A4AA5BCBEE798378E04609339B22560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030526Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:02.943{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66841A097CF3F7E2BC36F7D2A4B78A07,SHA256=1E83ED71061637BF5BE15969119524DB3F3BFF571500F82743406F9510678AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059702Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:02.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B0BE79F5B56F9DE67E927F0831F336,SHA256=1FC28A4C2567DC395602ACD6FA32DF775DDCD833C055A63AECBA4564D820CF27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030525Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:00.027{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51579-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030527Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:03.990{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5EDD63F1F6DD60DB1F4CD55E319EB4,SHA256=0E952285ACCB8ADD9E882BF3262B81CB718A79658A0A4CDD42F109A7A1CD8F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059703Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:03.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA75495AD9E77F55630A6C49EA016146,SHA256=F39D9CB481CFAFB2F6EB7B651617BC2BDDAB997F5EB003D6120BA773D11942BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059704Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:04.435{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA28BD348C3C0411E8C871A0715F7C5,SHA256=97D41A57339BA72384834FD84440889022293440351202FA623D1DC4DDBFE8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059705Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:05.502{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201CFF81467E621CEE3016840DA79C10,SHA256=22DED80D4896B62AF690CE8D791D78D822FFE500AFA4F6CC5A5D024620B27101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030528Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:05.131{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C021C87DF05587BD3959983228181A1A,SHA256=B65C0192447BE23E4624B14CA5B3F6AC99AD097AF4C4917112E317AD7A975928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059706Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:06.529{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322C458C1C7E9654EF05AD4D5A063BCF,SHA256=E9D1F55E72B05FCAE9046EDA1BA3E2203844B57DBE6BA7688FE1F0F4A71BE564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030529Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:06.177{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E297FA257430DEE8CA4EBA7C547ED482,SHA256=0C39C5C8A13EA5E9EB2929F3CEB5476A864C777D5E7A8582AB4B2C3A62CCDCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059708Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:07.529{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7015C4D3D5DB0CEB91EBD6AF362A14,SHA256=0633052EA1E7D14F9FD04E9305887A37F9504E22414C8BB066B49172E52F0329,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030531Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:05.855{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51580-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030530Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:07.178{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D427E029332242317FC3C4C575A6CC,SHA256=D7A8400DBEAB661F03CD05D1910C37AB7D4C2943A5F6CDADF592F6DFD7AF4B50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059707Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:05.029{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059709Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:08.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A6FD97A75A24BFCA591BFC2B7C19E5,SHA256=DFDD5C04981A9D943112985295640E092967A438C8CE6B772C149286702D8457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030532Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:08.240{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DEA37F49590DF2595E4CA798B823B7,SHA256=692CD90AF61E70A959E0DDDABBDF1B091723968F8684FFEF5589A914E43E9F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059710Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:09.592{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E94B9C66D127085A6D0D8C1AD0E323,SHA256=409D2AC5889CE6B4517E552F9F25619801448E31C2401D15028B156BC49B1C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030533Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:09.287{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3976001158ADA86752A728893B859,SHA256=9A8B2F0DEFA104DED5D82038AE58DE9E5F373AF258BCFD6EECBF5CA6F22A2A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059711Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:10.685{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A540F715B918B86ED1FDBCBEB341409A,SHA256=BF001FE875683D6F75CABD45DB2E0EE5FA237EF2D563FB2F02AD0A84CEBF1143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030534Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:10.349{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD70621046B3307D422E459D95AEC466,SHA256=ED871B7DF15EF1CADF918D1250D77F224F701FF413A1888BA78EDDD5CFAEDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059712Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:11.701{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C39D7F74912F162E6222F2368C45AD,SHA256=C40F9A56B8CC20F1EA907487DD16176D8ACD2DAD1161A543188E2D2FD077BFE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030548Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B7F-6092-D104-00000000BC01}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030547Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030546Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030545Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030544Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030543Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030542Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030541Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030540Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030539Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030538Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B7F-6092-D104-00000000BC01}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030537Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.724{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B7F-6092-D104-00000000BC01}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030536Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.725{04D9AEC0-6B7F-6092-D104-00000000BC01}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030535Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:11.365{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7329200A5D98C9554CAB13101655E69,SHA256=584A2772C2541F61BAF6C50887ACE2504738181A0ED1D296DDA6C813F079C47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059714Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:12.701{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CEC080DB801081BA5F4A1FA9386100,SHA256=184E6C03B0CB2564F76B31F798D810C737E4DA8DCE9B6F24DB76F2BAA0264196,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030565Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:10.886{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030564Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.756{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED9A81FC9F5E586AAA25173DB5C9AB7,SHA256=335640DA111DFD513D099967F28031D85052026EA202632D6B4245191657D65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030563Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.756{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F397BF7760066476957E9838BD298B38,SHA256=AA7C25D1FA719382F0D74DE28ED6DCD6AA3F94E2A42170CAFA42042240EF71CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030562Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD8F256C2BBA8CD94AEBB31FCD08F48,SHA256=593C009B18CA62679E65F57E6517D57B6B2859420D87C6E2583E16F677D13FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030561Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B80-6092-D204-00000000BC01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030560Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030559Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030558Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030557Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030556Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030555Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030554Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030553Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030552Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030551Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6B80-6092-D204-00000000BC01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030550Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.396{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B80-6092-D204-00000000BC01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030549Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:12.397{04D9AEC0-6B80-6092-D204-00000000BC01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000059713Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:11.029{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059715Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:13.717{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F387BFB14124EF7C4BB9F5B92AE7E87,SHA256=92BAFC5091FDFD79DE7E21867AE2263E4857911D743BE5F4E88018674CFAF729,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030579Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.209{04D9AEC0-6B81-6092-D304-00000000BC01}29203024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030578Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B81-6092-D304-00000000BC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030577Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030576Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030575Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030574Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030573Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030572Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030571Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030570Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030569Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030568Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B81-6092-D304-00000000BC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030567Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.068{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B81-6092-D304-00000000BC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030566Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:13.069{04D9AEC0-6B81-6092-D304-00000000BC01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059716Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:14.732{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B189070283E313D2D49B33C3478F21B,SHA256=EB8D3C29D1DEB1C03BC4BFACE61BD34329C5C33F4ED6EEEE8D84D0F9C2379216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030596Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.834{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030595Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.193{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED9A81FC9F5E586AAA25173DB5C9AB7,SHA256=335640DA111DFD513D099967F28031D85052026EA202632D6B4245191657D65D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030594Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.146{04D9AEC0-6B82-6092-D404-00000000BC01}9563744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030593Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B82-6092-D404-00000000BC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030592Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030591Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030590Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030589Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030588Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030587Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030586Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030585Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030584Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030583Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B82-6092-D404-00000000BC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030582Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B82-6092-D404-00000000BC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030581Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.008{04D9AEC0-6B82-6092-D404-00000000BC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030580Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.005{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E45F6FE4A663A423B82377E9109B3D,SHA256=5B1CD63692AB1ECAD0E948A7C56F4943E1F5DFCD4370090E5815B6CD2F7B54EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059717Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:15.748{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568119D585AC212C168D63A1DF101C1F,SHA256=9123FD6E50C7F7DD54F15437B5A7A9EE4CA51EAD7268CC983CE1619D5BC829AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030610Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B83-6092-D504-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030609Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030608Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030607Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030606Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030605Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030604Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030603Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030602Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030601Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030600Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B83-6092-D504-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030599Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B83-6092-D504-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030598Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.334{04D9AEC0-6B83-6092-D504-00000000BC01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030597Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.021{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA77D24F666F5513A0A3CD99006F4C30,SHA256=ADE19D376D00E97DF9CAB64ACC51B3037EEB428460134D4FDDD52F3BCB21444A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059718Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:16.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F816AAD9FD553761FBCE28BCD398E1,SHA256=B56BAB7F3F5EEDE8C734C8F940F178F53E6DCFA043871CB3C8F4721923549F98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030641Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:14.604{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000030640Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.646{04D9AEC0-6B84-6092-D704-00000000BC01}18521308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030639Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B84-6092-D704-00000000BC01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030638Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030637Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030636Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030635Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030634Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030633Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030632Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030631Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030630Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030629Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6B84-6092-D704-00000000BC01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030628Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B84-6092-D704-00000000BC01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030627Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.508{04D9AEC0-6B84-6092-D704-00000000BC01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030626Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FEDEE98164F952EF15AF2AC8B69CCC,SHA256=83AF2DA0FFEEEC9B0F1AF520B5C324375D2A26543D6773AC1C31F9D0F7BC0A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030625Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.505{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DFC194EE14C2360F4959D28B6E739DC,SHA256=BF2EB0C8A097EE3623C3CCD11765B1449D2E115D230D595FEB9AA6D18DE22154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030624Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.146{04D9AEC0-6B84-6092-D604-00000000BC01}38723980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030623Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6B84-6092-D604-00000000BC01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030622Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030621Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030620Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030619Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030618Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030617Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030616Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030615Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030614Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030613Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6B84-6092-D604-00000000BC01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030612Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.005{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6B84-6092-D604-00000000BC01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030611Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:16.006{04D9AEC0-6B84-6092-D604-00000000BC01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059719Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:17.764{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B411F268514F1EC4C47DD0196065BD7,SHA256=D523A7DDDC312C32C6AE75CEF30C0CE195ABEC449114B2E56C5AF6BF0215BBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030643Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:17.521{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEB0E139ECA1B81247997A7778C16A5,SHA256=8EF1C49862A24F09C4C4FDE252E404A629D84243123EB5917B57CCFB039CDCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030642Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:17.177{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE44C3B12E558A56C89710C2B879EE5,SHA256=51A5754D43A395A6864FFB845C5A29F5B3B6171CF261F2B2BABC8718909570E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059731Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:17.061{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059730Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:18.779{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FB6CD283F349BBA375E9CA034F5A65,SHA256=4836A17F3181EA88F1A6F8B64CB6E7B47613C4F7A17F28720D6F1CE430B42D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030645Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:18.240{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C2A2C69B71E21AD3C4BA45264B88D1,SHA256=633ED40C9CB3C56BAD0415391AE28185EF69357F0D09A057DABF1BC2A8FBC93D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059729Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000059728Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008e6510) 13241300x800000000000000059727Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418c-0x5f14bf32) 13241300x800000000000000059726Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74194-0xc0d92732) 13241300x800000000000000059725Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419d-0x229d8f32) 13241300x800000000000000059724Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000059723Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008e6510) 13241300x800000000000000059722Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418c-0x5f14bf32) 13241300x800000000000000059721Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74194-0xc0d92732) 13241300x800000000000000059720Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:18.076{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419d-0x229d8f32) 354300x800000000000000030644Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:15.948{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059732Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:19.795{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDFAC795D82B275B1EDC9E092BF9352,SHA256=6AC0EE580A1B1EC3E879675FC6EC88BF3C8FC0DF2DD85140A7E50F22079FC4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030646Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:19.271{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968388857AFE6F4C6120EF48ED755F16,SHA256=4DEFEF63A84CC349EFE8AF22F7E3DC17D74D99C849058ED946C0F945AE4B3DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059733Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:20.795{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB5D165A7ED823F3265B38B51FBEA2F,SHA256=2DF2672D144288579F963C209DA568A3F509892FDD187230E8D63FB8FD95A6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030647Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:20.287{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A0D27080038AE425DE2B0B0D58511F,SHA256=C5370690E3140DD0814B8B3A13DF28A88AF83227A8490E0C1B72DE47CD2C8CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059734Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:21.810{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A59648E92A11D1B62830450901899D,SHA256=0435F931C7A2F0F3AA89829A9C2CA50D91840BFB47ACC08E5D670977202AEF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030648Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:21.349{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6E69443E9256CC63BC2F5B607D20D5,SHA256=28BE940C6F08486114490D11069EF86923B4413EF7D696DBEC0F3D7AE72E6945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059736Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.826{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0CEA41E750A066D31E03C139D96EDB,SHA256=91AA7821F215809398B36EE86247FD5C6B4B93528C8232B87CA37492517ED4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030649Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:22.380{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A6CF4AF4A8611CE59E87510460BAB8,SHA256=7FBF8FC1C8EEBDDA92974B3A7EA5011635A5F83E6325FF26E23DB07884D24B8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059735Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.560{B13AE1A5-4718-6092-0B00-00000000BA01}8604416C:\Windows\system32\lsass.exe{B13AE1A5-4716-6092-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000059754Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:23.842{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1411E8B6162B8CE1205065A5DC419C68,SHA256=0408E90234E40C4F2F3A62860E22A32C849AE829B6E6463A5D72DC5B15C82235,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059753Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.536{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54079-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000059752Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.536{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54079-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000059751Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.533{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54078-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local49666- 354300x800000000000000059750Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.533{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54078-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local49666- 354300x800000000000000059749Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.532{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54077-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000059748Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.532{B13AE1A5-471A-6092-1400-00000000BA01}1332C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54077-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000059747Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.430{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-763.attackrange.local54076-false10.0.1.14win-dc-763.attackrange.local389ldap 354300x800000000000000059746Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.430{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54076-false10.0.1.14win-dc-763.attackrange.local389ldap 23542300x800000000000000030650Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:23.427{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32179AFA19EFC51C0871C78D7E5FBCB,SHA256=48D42379845D559EDAF6629052B5F4D58FFF116555EC5C286417D7A51F6221CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059745Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.423{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54075-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000059744Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.423{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54075-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000059743Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.422{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54074-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local49666- 354300x800000000000000059742Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.422{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54074-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local49666- 354300x800000000000000059741Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.422{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54073-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000059740Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.421{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54073-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 23542300x800000000000000059739Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:23.482{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=567B96BA2908A5C04E1EA6FB9CE3DB59,SHA256=A213132EB92BEAD4F4024D26DB285F9A181FD8D5F53088D76E0AD70A9BE7D454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059738Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:23.482{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E86BACD3C6FFDA28217DFFA2B92FED0,SHA256=853322386E9DB182074DC26E88160EB2080E7A99CF187433C4AA563B49ABDFD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059737Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:22.091{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059755Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:24.857{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4767F41851031CDEFFFD31B4B4DEE96A,SHA256=9ED3FDEFDC2568157588CFDFB0E763F9B4158E5B2719CC977A0751B189AB0703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030652Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:24.443{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD2CF5F14853F52C07DA128B7A422DF,SHA256=08E8E255D5B98537E5FBF9C22A7EE8045C8FBE773B6F734D399D1FEFE0F4AC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030651Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:21.995{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000059758Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:24.537{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000059757Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:24.521{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000059756Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:25.873{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A350510E84025DBADC6B0DF5BB0F58,SHA256=E5A093435DF16CF6E3C30F367149FF7605C5164A1BB80AF86149FB1052682B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030653Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:25.536{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB38F880E02B2ED74136D8D9725835D,SHA256=B9DB1C2EAB30B4588AA4931C095C71F8B514C94F3A313B5F912B889CB6965820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030655Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:26.536{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A9EAAAAC70DF7D9C14766F3ECCA6D8,SHA256=FA892F2C0844BD310B77E4209C54FC77C2F9E1C519D78CAB1F3B240C9F644231,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059762Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:25.763{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54082-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000059761Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:25.763{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54082-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000059760Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:26.888{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B829E2C2742D5A0836CD80221232097,SHA256=60FF29A5687898F519C444F7CDA1DFF72AAAF758ACDEA9DBAA74CAF7EAAF0FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059759Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:26.873{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=567B96BA2908A5C04E1EA6FB9CE3DB59,SHA256=A213132EB92BEAD4F4024D26DB285F9A181FD8D5F53088D76E0AD70A9BE7D454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030654Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:26.021{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5F24B5D3A7D72E2522C1FD9DF5848234,SHA256=4F42EBB6A5437F2456C86ACA9C433B7B388AE164013B985D09F0B5621B901A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059763Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:27.904{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387BF3F0E1743D0377E21301F24F61BE,SHA256=744EBE66806533E1ACB39E0707EAC632AD35A2BA4CE43715658EF1E7EAB44E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030656Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:27.552{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD9970B0323F85DFDE91391E597808,SHA256=83C14EFD889F6051B84BA56758F0D68466109824D4104E7F3421D7880069E7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059764Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:28.920{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C116EEDEC2B27505E3716DF37403E2B3,SHA256=A28F47C68C52D4F33BCCA5FD75D3729BA86E918959BC56ACC421347FC63303D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030658Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:27.026{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030657Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:28.568{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE74CC13FBFC65EAF8C7CF42834B0A15,SHA256=186C3E7C734EA5EF9D488D54935C7ADC69AEE3F3ACBA0634E3A7FFCA39A757F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059765Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:29.935{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493307F766BE837425CB2A5F809F44F5,SHA256=E69090A302B0D9DE14AA8EAFE0751FD3D81AA667C8CD08D7F6DDFB67B571289C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030659Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:29.599{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A630211A25CE6326DFD552C590EC5180,SHA256=F754005B98229691ED782727EB52CE4A2A4FBA89EC1F64A4FF241BF2FE59E8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030660Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:30.630{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A976CE3C85314930E0484C957E449FF4,SHA256=B1878785231BD1A381F046FD10FF1C46F94F408491586E7FE7F68F084A69FA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059767Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:30.951{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B79DF3989D28E0F9D02701D06BB033,SHA256=D04049F3ADFCF45619D01C8308D8BC37C5E2D34B3CC0CDFEA94B129FF0705C2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059766Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:28.123{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030661Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:31.677{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331C5D70FE8DC0E842B2CDA8B8C1A110,SHA256=10D5A3A35095BD1E76F0B46DA960F9ECCE4F097ACBC0ADA6BC7ADD89ABFE20DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059768Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:31.966{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9374AB0D81AAD807A9C49715BCEB0AC,SHA256=17ADCFFD4627E53A8644D9693F722842BE432BFC5756C416319B641D19151145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059769Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:32.967{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D2C298690D40E5D66C363DDED6DC7,SHA256=AC6C900A65CA292EBB702A789711AEC1A2D5F837A1D43FF337681A9682786C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030662Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:32.693{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46AA794B65762C2827E045275376E19,SHA256=53516F818E31E801FC9B57F97FA2D76CBAB65C0EA78E558C639C9A257A83C454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059770Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:33.982{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E05B007DD95B96C3DA734C064867087,SHA256=8C7C92989F7C58EF5931ABA84640C6C16DDD779C3CEBC7526976AD125E5C0CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030663Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:33.755{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCECA0D8EFAC9B4EF172B646392E0A15,SHA256=309F8FF98A836EC679C41C800CC3DD90F45349128ED2293618872F4D17F060BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030665Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:32.823{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030664Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:34.849{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909408D211B39292FC4C4098BA1B2E90,SHA256=15025AC919673515F4959A6A4841965B9D2D43F5756A3789B59663D34C624F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059772Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:34.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37D65B92C85837364EC5DDA8D1E54FF1,SHA256=EDD027CD8E4CC5402502DAFC82CE5605C191885F8D76559BE714BEE91B7B4778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059771Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:34.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEC27E908CFC3F37DC54196420509D4F,SHA256=6774176FCA4035BBD1BE7B5E7DB96341BD7F44BB7F392AEC36C18BF33BEEC88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030666Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:35.927{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03551FC52F1C4338B3A2793FA2897F7B,SHA256=214E086584C357B5DA6CDB87C34562DC9DBB66060F2BD4B96E4385042218AF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059773Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:34.998{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB31D4DF9802EE7F7640197229F16BD,SHA256=9C20AE2713AA0853F151B6835C543E17AFF03BD340F836AD5BD120D0980142AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030667Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:36.989{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640AA0270787FE4F6165697885B1AEC3,SHA256=BB43F6B2ED3D241CE094A862373BEDCADD3553CF93C782915F065F1E9909FA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059775Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:34.107{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059774Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:35.998{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2686658C119844C723E8B12095913A3,SHA256=4986807DCC3669A037D61B59306594512400239B2723A3CF354CE72A5202F5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059776Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:37.045{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701A3C99B535F3509913633387F4F95C,SHA256=75ACEBD0421815EE2D8CF08ABC8BA9EC36D55E50692D5E526F68E9A0D331939F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059777Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:38.123{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8566918D2507198F107CEEEFA624523A,SHA256=1E94E23D3A25E44239E6E1622EEFE15BB5FABAA23832121E8C60B064971E95E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030668Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:38.067{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03055C4EB66B18CB4D9E4638E4DCF4FE,SHA256=ABB54BC269D2007BDED400CA482DD6B013F7AA4D5E8C82F4562C226DB0E56A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059794Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B9B-6092-4209-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059793Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059792Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059791Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059790Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059789Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B9B-6092-4209-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059788Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B9B-6092-4209-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059787Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.967{B13AE1A5-6B9B-6092-4209-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059786Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43332F697529FD27A421163013A08857,SHA256=CF4A04DAD7F3F2AA565DA44FD387C5B303C53BD7B43D0E9334D7A15B0EEDF47E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059785Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B9B-6092-4109-00000000BA01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059784Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059783Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059782Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059781Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059780Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B9B-6092-4109-00000000BA01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059779Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B9B-6092-4109-00000000BA01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059778Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:39.295{B13AE1A5-6B9B-6092-4109-00000000BA01}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030669Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:39.114{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783FDA7D56DAB15451083CF0A669CB13,SHA256=CE2966D38E9D1C84E46FF58929C2E887E49AC2EFEC8B1EF2A65A8ADC29CDE85E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059806Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B9C-6092-4309-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059805Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059804Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059803Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059802Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059801Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6B9C-6092-4309-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059800Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.638{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B9C-6092-4309-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059799Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.639{B13AE1A5-6B9C-6092-4309-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059798Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.373{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4B91D97339EE969115C585FF5184B8,SHA256=7E8E56A926F654CF8291B802129F3937225D8A9A37F0E07C050FF644B0569342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030671Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:40.114{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AF3B421EEC7E1D978B1EFB03AAC1CD,SHA256=A4C8AC5A12C466E0EF932B07A84651558F1BBCB85FA8045E01DBEDB9892AF20B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030670Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:37.869{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059797Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C872CDCAE34DA626C09F13E16C5BC52,SHA256=18D19F05667FD5D0623C1D498124344379CFDF822FB254C02C057CD8A17FCC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059796Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37D65B92C85837364EC5DDA8D1E54FF1,SHA256=EDD027CD8E4CC5402502DAFC82CE5605C191885F8D76559BE714BEE91B7B4778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059795Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.107{B13AE1A5-6B9B-6092-4209-00000000BA01}80405724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059817Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B9D-6092-4409-00000000BA01}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059816Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059815Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059814Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059813Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059812Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B9D-6092-4409-00000000BA01}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059811Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.904{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B9D-6092-4409-00000000BA01}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059810Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.905{B13AE1A5-6B9D-6092-4409-00000000BA01}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059809Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.638{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C872CDCAE34DA626C09F13E16C5BC52,SHA256=18D19F05667FD5D0623C1D498124344379CFDF822FB254C02C057CD8A17FCC00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059808Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:40.122{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059807Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:41.404{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C365BA215BF6819BA513A668844064EB,SHA256=DA4047C7267FF20DA4CF7A1364844DE487729DB29AE30E820C35E1CD8995F668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030672Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:41.145{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB45FC46912DD19EE674AB2EC0156B2,SHA256=1A461E76484F0280B3A70C08F0CBBFD9717291A9082FE7130BD6683C7F518F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059832Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.920{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A848B654F52264039679414E65B076A,SHA256=739499DB2E71F8010746662A22417F1F1B31F431BAE27666FDE489ADBF4C03E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059831Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.670{B13AE1A5-6B9E-6092-4509-00000000BA01}27005620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059830Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B9E-6092-4509-00000000BA01}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059829Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059828Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059827Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059826Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059825Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6B9E-6092-4509-00000000BA01}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059824Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.529{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B9E-6092-4509-00000000BA01}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059823Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.530{B13AE1A5-6B9E-6092-4509-00000000BA01}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059822Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.435{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B04122F6E5DDB5BA62A3D99DA0BF67,SHA256=D58668720E9379AA76D3BE8AE52A76DBA64919AB3D23FE27D2E2BA44FC146777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030673Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:42.192{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0786833048E5ECE8AB365C4897388367,SHA256=BAFD1995618757E1A1935AD9011A7931214EA73F49C50C1F81D619D785B5C9F0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059821Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:42.310{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x800000000000000059820Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:42.310{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4\Config SourceDWORD (0x00000001) 13241300x800000000000000059819Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:55:42.310{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4.XML 10341000x800000000000000059818Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.045{B13AE1A5-6B9D-6092-4409-00000000BA01}55404336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030674Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:43.192{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7EE0A7EB81D716D2C668074DCDB2C7,SHA256=B6B9962B55C59220D8BF869A6FF9E8465FA2F9D652647A9DC287E0748FCA5482,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059844Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.280{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54086-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000059843Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.280{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54086-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 23542300x800000000000000059842Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.529{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DEA3D0549CC51800972F04320802A3,SHA256=15302DE745F8D1BB1AF08EDF9DDA17176738FE4D3774B5908AC3BDC78902AF4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059841Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.310{B13AE1A5-6B9F-6092-4609-00000000BA01}33683688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059840Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6B9F-6092-4609-00000000BA01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059839Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059838Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059837Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059836Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059835Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6B9F-6092-4609-00000000BA01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059834Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.154{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6B9F-6092-4609-00000000BA01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059833Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:43.155{B13AE1A5-6B9F-6092-4609-00000000BA01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000059858Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.300{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54088-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000059857Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.300{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54088-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000059856Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.294{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54087-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000059855Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:42.294{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54087-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 10341000x800000000000000059854Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BA0-6092-4709-00000000BA01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059853Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059852Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059851Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059850Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059849Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6BA0-6092-4709-00000000BA01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059848Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.810{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BA0-6092-4709-00000000BA01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059847Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.811{B13AE1A5-6BA0-6092-4709-00000000BA01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059846Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDD2A8934E4F0B0CBEF34AACA01DE47,SHA256=734D9837AFC061D7DAE9BA514B42D33C19D6714BBB69861E6CF39C5A50A0BA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030676Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:42.901{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030675Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:44.208{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1C4748F51CB263E0575833288902D4,SHA256=077AD114F8505A89AACA3B3C827FFEB60EC8E62FCDC92EB2F5F8A797B3D4C22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059845Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:44.201{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4BC25ABBA307F360471F2B791FEA8F,SHA256=FA68AFE2219F49718DD5E6BD6F89C14568279E17E571B2E0552104491D0AD534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059860Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:45.873{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB2C5C2EE126A1866CF17D7E6A8A7B3,SHA256=38CAD8164B6C031594A06AD695B9A4DFBCAC39F8A73F4A7F8F8AE7BDF1BEAC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059859Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:45.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18C0A73DFA39C27E8F27200225E3A90,SHA256=9918E37D74E93DE526F4DA12097C6E8D9BB8EAE58019BE335CFC06152A7C026A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030677Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:45.224{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B5ADB2561329CAFCF40B9504AEC155,SHA256=7D14E8B6BE33034E038A4ED9EBB3B44786D227DCEB482595D3753AC47DB6435B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059862Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:45.169{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059861Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:46.623{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B4B711A8ACC1DACE99FDC15172AA1A,SHA256=487C9FC1B034DA99D68B4C3F5C4B0B7F9BBD451B5E5D39319AC7F8B565275724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030678Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:46.239{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB95A009D08DDD36ADC23CFC87795EF,SHA256=D2A110486B68A0FB126D3FC43AC2AB215EDA1AD037A41267DA6A9B00403A781F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059863Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:47.638{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD585915FE0A817319D5DDACD5DF119C,SHA256=E4E6B7351AEFF5202DF509D0F80C9BB3FAD80D86EACB8ADC5F52E27CDD3B11D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030679Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:47.286{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123A0C19C3F48DC4498A377F46628C20,SHA256=0C2D46BFEB5C0F371CD6EC52E4FDEBDF87DAF67DB9348B4E5CF1249611065F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059864Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:48.654{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570EBF9773B37E97F7B17427D2ACB511,SHA256=F22213944D6C6BAC0A8B28BFA8B52B7FD64BC1DC5DD7DBFD46F79F0B87E53164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030680Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:48.411{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076C7C916C38FA27DCFE84C65FEEADA3,SHA256=DE9B78ABF8AACCC622F3B721FCAB7ADA9D4F1CDEF2D74692CFFA3E6DDE004CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059865Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:49.685{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872CDF2FAF0E53126D1D6DAFEFC3C505,SHA256=DDF5B1E2B00192CE5E8B2FE2F3F7B04E899E896C740A4A094A4F97D3A40A2DEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030682Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:47.947{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51589-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030681Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:49.427{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9D0D3613FB2054E22DF1144AB3F0C2,SHA256=2A514348FE4C99CD1730A7B17B3848D8C2646648116E2E549535BFCBF04602A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059866Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:50.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39A22D5A180D2B46CED8642F5058DDF,SHA256=46AE0A70567A32FAE2B2C7866256A2125DE545B08B5099F6003936590A6BFB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030683Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:50.489{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A237F1287D6C45DA252252C1B2FCF51,SHA256=ECADD2DB0C4C5A12ED35AF483B4A224582D5C9B11657DA3FCD86C02608473448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059867Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:51.732{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1718380C5868DE66EC0B4E68D8F0E4,SHA256=C4F42B0275AA214676EE55A02B8BC3D9E94DABCE1B0FBE16A40A4AA92CBB38D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030684Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:51.505{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676D6EDCE8B18AAF5F9670C89ED47F49,SHA256=0A1CCCA49695A53B7C45145736CB39E6D136F782D395AE98CEB9041469A4A23D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059869Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:51.185{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059868Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:52.748{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D227C2B78C5727BEF601061BD3FAFB8E,SHA256=56958343F04D4B352C6A0D5D1B736EEE7749ADFADCD6459F7842223AABD1116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030685Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:52.536{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7B1ABE9DE58D1DF4BBAC341C4FEB60,SHA256=9C3C92382D2067E04E33AA0A62C5EFA1C7D2915A4164C1341A03E2684CF2E811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059870Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:53.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC73AB201BB5229E896F4797E258EFF9,SHA256=8F30B37E1FADB96FD7E551F7F87538B19672D459DB76E3EC6F39C035BE8814D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030686Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:53.630{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB79CA2D50478608839FAA1F7C3AB862,SHA256=94A202A8D1AE4C3E2BA659AEB39C1DD21071C547B92B9E67025467F20F34CAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059871Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:54.841{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A1645B9359AFADA8050860205CB719,SHA256=C81E7A285C61A30704971E2F1D43B856BDCF176888C5652F3865990029C9682B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030688Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:52.994{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51590-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030687Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:54.661{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756D9CCE645ADEEBBBDF16C4F1E63EB6,SHA256=13447B43F3E4D4596F54C5883E34CBF1EEBF5F98EA1686D5F2C9199901BD213A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059872Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:55.982{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BC039EB85C5B53B63007161A503E79,SHA256=AC74A8F2E2EF1F6A073C42E935AAA22C119E3AD69E4FCB81357C5E861163D5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030689Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:55.864{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA51B682E811D17364C1F8AE5DC5F62,SHA256=97EAAEF956C4F94CE90B536E97D0D78439442A5C710E571939D1836C4AD38515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030690Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:56.880{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7B1E3EA21EACC901E63207D39BB040,SHA256=3BC5B3AE3072666731864295626AF54C9B6ED715DF0E47B12A4BB2303FA59535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059873Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:56.638{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=40D644387FA996F77F52739ED1C45C00,SHA256=A8F73946959F38A020FF812968A046D7CF575F55BAD465079F80A96C2EF85EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030691Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:57.926{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DC63C7D7D8F79CE8CD12C64EBCD7B5,SHA256=BD59456FC1B0E2613BC7ADA1B826F93BB7F2EB93595226E593B8AD35EF4E86F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059874Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:57.029{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78590864B0C987F62ADC34C109B3B33,SHA256=AD50929595014048577943779B760C193895ABE10D534C52F2B3D1C250F0600F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030692Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:58.989{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE975A4940062762FFD2D65E4A1BE1C,SHA256=CC2C4D1A56406F782DD9F282BAC3A743060B03F0CB0AA6906CBCF81BC88F1F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059876Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:56.216{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059875Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:58.045{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CFDCB1ACA142476F7F57D1B856FE97,SHA256=ACE773CFE72D3B22EBFAC2841A8F9701C777FE59F4772A90BACAFA0716177285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059877Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:55:59.060{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4835944A26E06F587BBAB0559D96591D,SHA256=40B1EEA771AEF911BCC504C1FC0A08EE8B6EFB046120BCD4977F2989167AFB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059878Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:00.107{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB91AAD2F7EFCB9EB415D3EC5E4B64B0,SHA256=69B550AC184ABF44F61600864AD6EB3CC93068666521BAF4CCB55B50BFC8692A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030693Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:00.004{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AE24A61C0B4EC36648D906CEBAEBEF,SHA256=45DCFB142362D9F38719F81DF2AFE2F81B204CD9163DC60F372BE73A6AFEE827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059879Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:01.154{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8051282C9A370222CAB13C0D64F05BC3,SHA256=A16ACD4C815809920829E7B35986B681D28A51CFFA9DBD77D46219BAF5853E4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030695Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:55:58.838{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51591-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030694Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:01.114{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C610DB59191D2E00D8AF042C11B3A55,SHA256=6444427E35565F2389BEC964A532A49B12C526820AF51DB8E4007FDC584013D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059880Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:02.216{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B07F8F2169FBB2B79732DAB6784749,SHA256=55808059F1D4EE010B2ABE21E331AE7AE42C053F24051F1607E022C140DAC997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030696Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:02.145{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEBE07250DF45AFC2CDC86E93BB3AFB,SHA256=1CF8E51EB404F181E817A564F90065E4D945D6F68042CC71A833B77A8AA95A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059881Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:03.232{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C7F62533A83F56C3A09FD1B1C9F6E9,SHA256=8F63E6653725DB118BA653702022D78CD05831C18E67F19057E0001C07445EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030697Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:03.254{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1868667392B72E58DF06415616A0D77,SHA256=DA5809CF69CADF931CDA9868CD5048EF98E88886193A1BA3F7A2C32C657AD8E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059883Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:02.231{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059882Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:04.295{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A38A9492DDAAE0266653FB2912D194,SHA256=4DB5FCE0138BE498A28126839DDEFAD1273564299D21B5E8DF2B774235D3094B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030698Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:04.286{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3733CE7BF7308FABBACEC229477F97,SHA256=CAA70CE7D8A12CFC2E85BACFA47D064DCDC37BD3BBE227D3BF8E85EC8B3BB12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059884Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:05.341{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0168F3EBC3C4DD5EBB27295625773C,SHA256=853BA8383666864D3EA022E40587E11C7DA6BFAACDAB9DEB136286B992E8778C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030700Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:03.869{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030699Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:05.317{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4253819CF219DA55418606BEC4559B37,SHA256=5ECB5DF10FE2CBD1210CE46820ADDFCB03E9C2AA532FF07BCA4491FA3A4CD5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059885Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:06.420{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A815E20B2E8064F19F6E23D010D1B5,SHA256=915D372353480C2518AF979C303503AF64F6222138350BE35C8EEC2D63C8E465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030701Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:06.332{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD98D9ACF0165EF2F7905BC1AFEE0BA,SHA256=F0D6D69B778538DE5BC68C9AA1A14253435C6F2411755897832541B1B9376AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059886Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:07.435{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE64D4C7666F19A3220EE890B0AAA75,SHA256=465C35CACDF255402AE1ACDD88D5784C57C39CCEC210E903F5125D8949C57D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030702Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:07.379{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F66FB90F7DA7409DBFDC7841E655A3,SHA256=D1B097740A4654599D1DF5A2D0546FFAE1186441AB41ECDA867B20926F699ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059887Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:08.451{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B18E7A6E4E544C3D487A912200ADE2F,SHA256=7A83536FBA7B565AE59748719D0BD6F973C73CAF87F40E70C492D245F091DC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030703Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:08.379{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511CF90208F534E50B095841BD984556,SHA256=A85C42BC0F189B854CDD4423A6F0884B27FD42001898589D80CC94E1D1F5C1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059889Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:07.997{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059888Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:09.466{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BFF36AD171FC97A224891CDF34FFDE,SHA256=33EC9F2C7E458146DE37D43F8757F68F3A6BD0F3366DDCE70BE2B22F3C06FB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030704Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:09.411{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE81996DDE4A642E7761B491150A5CA3,SHA256=2CB836B8BC335AABEBA2A4496103000C5EA8DC647424D21E7B56E274C69317B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059890Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:10.498{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEE61464AD842C13AF1708E26CED795,SHA256=E459983B7753C2F4B9081AA2FAAE8616C4447BC0220F70D6BCF9549EBB0C3189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030706Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:08.915{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030705Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:10.426{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A95CB1099D675BE985AFE01CF9F2B3,SHA256=BFDEDC2D7AC59A2337CE748D0CF51CEF56C05A02ED8205377B2E917FDBAA7C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059891Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:11.513{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52101501331EAD7C819DDCB6E4DBD66,SHA256=83687A80BEEB6C17D2B88A5980D6F206C2FDA39121A42AA4E1D708D3632F72F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030720Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BBB-6092-D804-00000000BC01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030719Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030718Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030717Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030716Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030715Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030714Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030713Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030712Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030711Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030710Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BBB-6092-D804-00000000BC01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030709Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BBB-6092-D804-00000000BC01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030708Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.739{04D9AEC0-6BBB-6092-D804-00000000BC01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030707Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:11.504{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DF34A9FC420F8BCD242B850ADBAFB8,SHA256=10958DD2B771DAD883D8DAD5BFF61C2E7EACF86AE75BDA9367CF0340C38151C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030750Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BBC-6092-DA04-00000000BC01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030749Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030748Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030747Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030746Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030745Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030744Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030743Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030742Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030741Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030740Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BBC-6092-DA04-00000000BC01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030739Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BBC-6092-DA04-00000000BC01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030738Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.928{04D9AEC0-6BBC-6092-DA04-00000000BC01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030737Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5ED45618AA093C52717E59D247F1AED,SHA256=2650A6E0C0BA0595BC15F13553CCC114339DEB512E10DAFBEEDE29520B621DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030736Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A284AE93377BDFB9CDFA8FC4F1D711,SHA256=E0D88B5C710BFE92FAF8322DCBA0D9C4431F7BDF551028289B2015B0AEF1F5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030735Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.926{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A20533EC352DF9FB185489BDE68FD66E,SHA256=012F9FD4FD18CAC7CA0C9E15B047005969C2B75D775FD53C4D0B5A7B3E6D3877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059892Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:12.529{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C099ED5648BDD265F1793168107DD24,SHA256=00021F5EA638C56FC270EF379788020AA4576132E7A26849D46B2FCA5ED82AAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030734Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.551{04D9AEC0-6BBC-6092-D904-00000000BC01}38443564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030733Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BBC-6092-D904-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030732Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030731Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030730Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030729Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030728Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030723Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6BBC-6092-D904-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030722Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.410{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BBC-6092-D904-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030721Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:12.411{04D9AEC0-6BBC-6092-D904-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030751Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:13.942{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDC010D0956055E068A0D34A449A275,SHA256=7DF5E8AC4426C591AC62D5109315A1EFF33096921DFD4B39942AA38282FDB9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059893Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:13.544{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6629F2C97C983D3B9F8C1599B9198DBF,SHA256=A697FCADF02155C3F064984D5A94B7871610C93C3D5DC52AD720B2B0C025358A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059895Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:13.200{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059894Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:14.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA9F891BC5F0F21006139BA466E7179,SHA256=EDC67D3251A7A3705811B28BC05D72010F39E052480ECE575DF3DC31D33DF8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030767Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.863{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030766Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.129{04D9AEC0-6BBE-6092-DB04-00000000BC01}8282964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030765Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.020{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5ED45618AA093C52717E59D247F1AED,SHA256=2650A6E0C0BA0595BC15F13553CCC114339DEB512E10DAFBEEDE29520B621DAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030764Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BBE-6092-DB04-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030763Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030762Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030761Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030760Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030759Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030758Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030757Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030756Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030755Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030754Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6BBE-6092-DB04-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030753Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.004{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BBE-6092-DB04-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030752Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.005{04D9AEC0-6BBE-6092-DB04-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059896Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:15.576{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DC96F2EA01E2885D965BACB592605F,SHA256=05BF4A16A4030C1D30B402E3893EBC7DDF0A17E3FDA3924B5D33E1F580CAD124,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030796Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:13.947{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030795Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BBF-6092-DD04-00000000BC01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030794Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030793Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030792Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030791Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030790Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030789Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030788Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030787Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030786Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030785Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BBF-6092-DD04-00000000BC01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030784Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.879{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BBF-6092-DD04-00000000BC01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030783Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.880{04D9AEC0-6BBF-6092-DD04-00000000BC01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030782Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.348{04D9AEC0-6BBF-6092-DC04-00000000BC01}298096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030781Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BBF-6092-DC04-00000000BC01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030780Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030779Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030778Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030777Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030776Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030775Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030774Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030773Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030772Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030771Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6BBF-6092-DC04-00000000BC01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030770Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.207{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BBF-6092-DC04-00000000BC01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030769Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.209{04D9AEC0-6BBF-6092-DC04-00000000BC01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030768Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:15.051{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911FD21898C794BBB834361079FF7A22,SHA256=184021E4C720E6586F47477B7C8A05C4B8A8FD4DF29DEE30CF6F8E1D1051945B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059897Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:16.591{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47392CE31B9BD24BB89A5E6CBF6F1BEF,SHA256=0B962D0E29BDF0BE45F4C7E7BF0DFB4E66A70E5BDF52E9D26D41830FC3BCA4DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030812Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.692{04D9AEC0-6BC0-6092-DE04-00000000BC01}3576220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030811Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BC0-6092-DE04-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030810Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030809Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030808Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030807Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030806Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030805Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030804Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030803Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030802Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030801Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BC0-6092-DE04-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030800Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.551{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BC0-6092-DE04-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030799Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.552{04D9AEC0-6BC0-6092-DE04-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030798Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.348{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C49C0454FF28C83A77EDAD7582B084,SHA256=F77DD7E9767E83F2F0B1FAAEA180F558E84F46E1E2FD26B61051B9B6D38F90B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030797Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:16.348{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B4E72AD112401AF9D217BB28F2A6B6D,SHA256=CACDDB53CA1464B346C3CD609791EAAD64F90C42B205FE27EB6B1FBA9EE3411A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059898Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:17.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED3CA366FCC2F7D3331CE1A824F9B9D,SHA256=48CDA80073BDE62C4591970093DCDC24AE9FFF177FD5847F1E116184B0F14BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030815Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:17.567{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BAF4B88E325151720B5DC76E0BFE9B3,SHA256=E3B1316648BAF0A6592B2FB4BC1493195A27E4DEC65CE474EA4866519078F679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030814Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:17.473{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB82BBB09061379A45BDD832DA87F4A4,SHA256=DBCE9762B04CA761103B58C52B9D2CDB25062ED65FC4C34ACCFD511B1A6E7B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030813Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:14.634{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000059899Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:18.623{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B04CA7E3D83F9ADE650B538906CD397,SHA256=FCA97ED2E981491C0FC98FB59FF49DBDAD968AC906BBB22B3BD91849C8CB6CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030816Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:18.504{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDF0B02692089E9713168332F1F2AB9,SHA256=FA6E0769CAC9381E3C4E0EE8A8BEF8D74F594D66DDED76E96EA65CE592E6195D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059900Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:19.623{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DC89C60AEFC8AE067458556C3E841C,SHA256=623EEB2D83573A7DBA4F9EC53BD075F6F0D642D80C054E988D619FB9C718F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030817Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:19.598{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F213F118258BAC87F755FDBF7AFF44,SHA256=B73DD14A6BC7B367B1964452D280CA41AB61068F1A98701417C4C843D800EBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030818Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:20.629{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D0AB50D2B5D0E424702E521BC6BB11,SHA256=F6C827B4C3F59B73693D09F58E6FFF205E82A948AB15658F15C36AC37120380A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059902Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:19.231{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059901Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:20.638{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CE715BC3C8CE774559A001B1811A93,SHA256=6C1BF6B4C16240F66D016FCC85651747914DB8B2CDF1137059E9FB3025575C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059903Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:21.654{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653EC082945F5641F200EF00678315E5,SHA256=32904978C9AAE5D929F6B7C9FCA4BEE376844D8348F9D71AB2B86FDCC5315EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030820Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:21.692{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124F7AECB13B6AB44B5EA710434AEA95,SHA256=AE295A906C06287C2855D754D94AFECE290AD10F793BCCFA2663EB71C5BFD423,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030819Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:19.009{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059904Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:22.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B1F686C1C667FB712999A449951918,SHA256=07A849082CBE19FE87BC8E4B7F30887B7F05E3C0EF0CCE62CFFAA7D20EBB721D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030821Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:22.707{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4667DECB9894055D779D68AE3F1776C,SHA256=573A02060B764A83EACCF4BCB1AC9DA9E75536EF6E854086F4D22A8B696DDA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059905Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:23.685{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC2B53B41F80403C304D4D61CECBDBD,SHA256=B75428F0FFB5D95843567F19E1F08D4D6404272D2EA634DDC5D74C627822A54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030822Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:23.754{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DE1A14987EC9BAB77367AC708DDA5A,SHA256=C60238EE41DE0CBADC9A1442BD0C8A3CCBD9C9BE2150BD2336114EAA25BDB8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030823Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:24.801{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EADF031B41EF3158C381D141CE2703,SHA256=F90AE6D41415788C36EAC5450D1F0C4C5BC7542207AC6487C089BE149A7889A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059906Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:24.701{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C20713EBF6B9E5C226E847BD11F65F,SHA256=FE2AFDCF1EADB706411265DB344D17FDCB32D4ADAE160DD01C0F91FD2C34DE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030824Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:25.816{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742FF98E5D3F1D0781FFBDA20A1EF3F2,SHA256=1F0408F06C24BC1C240937EEE278E9B2CF40074C2728CBDDC410292D4BFE56CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059908Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:25.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA0B9162C4CCC84590052C09953619D,SHA256=4FFB84547AA2A40DE80AB23AADA1AA22AF016F15ADE8570F3F1D5226C7996480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059907Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:25.107{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059946Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.904{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63B0649890C452AF70CC762732B5F30,SHA256=0C34D97CE8CDBE8C53D4E93B092A23A5952BB7544F8C94FA6B07CDF610ACD996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059945Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.904{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79F186712DC9F8DA358D4B2538F05DD,SHA256=1D798F7512FE98A951DE84958A6ECB36B8087F996F0B9CD5362B10BC28C46192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059944Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.888{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF9A99B514607B49A716B162A70B9F5,SHA256=0EBA7557114299B0CE451E722DDDEF81556837CC122C76BECD9FE881374680C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059943Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:25.059{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000059942Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:24.997{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030830Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:26.848{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5BE98164D4B2A961CD68F0DEF97666,SHA256=01D51BFE56156EA935385E899504335868C9284A38D0BD447E025FFB8B1D1A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030829Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:24.837{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030828Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:26.566{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030827Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:26.566{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030826Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:26.566{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030825Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:26.035{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A940DC52C55A5E0C27A618A4A052B0B3,SHA256=63742171DCC8730DF77FD95FCA9167EE750F8D0F36AC54178E9D8ED7B4D25C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059941Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059940Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059939Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059938Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059937Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059936Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059935Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059934Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059933Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2C00-00000000BA01}2752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059932Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2C00-00000000BA01}2752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059931Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059930Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059929Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059928Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059927Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059926Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059925Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059924Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059923Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059922Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059921Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059920Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059919Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059918Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059917Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059916Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059915Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059914Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059913Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059912Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059911Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059910Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059909Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:26.466{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000059949Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:27.857{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FCE48D22EE7AD5C70857BA98172D07,SHA256=53AB2FD819464257649D2CA17AB7BBF410EAB6AC11831EDBF05AC2320C808F7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059948Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:25.778{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54098-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000059947Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:25.778{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54098-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000030831Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:27.863{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812487E9A16E8CDBC03FFC08549618C0,SHA256=F23607A89ADC299F15A82BA4F8A5AFB055F315FD007A96443C50E4A0BA6CD8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059950Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:28.873{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B06C04DCD2AE30B1F0395B567BB5BB3,SHA256=658D1BD2D3FF437E405416A0B7946AB1C8BA09722E06CDC78D7BED6C138D7019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030832Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:28.894{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED0E40910033DB821A22BDA2BB93EC5,SHA256=DF01E22ECE369DD9F710CDC107BF6565A95D0F83CA3D6BCABEF047B868F6B23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059951Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:29.904{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5978A51088F169996449D65699A8412D,SHA256=15FB2F896D2580E9BCFF9FC47E89B8D587724B304618C27E080F42A45F412AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030833Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:29.973{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE49B86CC5211884E3E0D070A5997F6F,SHA256=3FD3A5151DA20C3FA09F9F2B33F4C300563F570741AB0BFB351AECCAF2B35CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030834Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:31.004{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF038916D7B9384F22B5DA1A53A8C672,SHA256=30BEC69A09A95863BF8C5153C6EAFC2796D1D89D6958AF237D795F1590B142B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059952Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:30.998{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900A22DFAE2F7E40170FF96141DD464E,SHA256=2DA878C000FB257EB3FF0398815158727ACC5EF295101825099E5984C1CFCF29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059954Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:30.012{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059953Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:32.029{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027458CE02658C636CCC09950F45D511,SHA256=995EFCE329FF9DD68DFE961006138299EE900181B7FA08E348C433EE910DC4ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030836Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:29.868{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030835Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:32.035{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A9C226B697E6CF8DE9E6C0EBF6D2AC,SHA256=896D895B63534CA8FFFF3D647A53BD69F1BC64F33DC63C951BA8901A121C35DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059955Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:33.060{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E38D5E9446E592CCB28EFEAE43E8BC,SHA256=ED43C2D299B790EF40494537E90A8FDC1A93CBB6C2FF56088A67DDD5246119D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030837Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:33.066{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E37DF2D21983A8EC4598A037632EAA,SHA256=B2C2B6214940E2206C81DA271B89E8238DECD05AEF158A553919DC9C9833D5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059956Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:34.107{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E473895271FE81EACC53E27353C0879,SHA256=4572E351A98368413F83F8D30B0FD68EEA66CF94A2E98A6580B34188E9184F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030838Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:34.066{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4A1E7D7184405916C9B2D27318D91C,SHA256=0C6F71D2D01FDC67A26FDEDA6134698EB39325FF38B7DAAB0226B54E263B21C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059957Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:35.123{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B043724A89C75285E4E4E6BFF6FAA0C8,SHA256=764AA9E90C8207A3065A13041C3DAF3C04797EB2AFBE47F729B5E826D81A929A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030839Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:35.082{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC353EA28D7271760801EAE28E75035,SHA256=0E62FB9B9266F739812E03C08C4BA921F83A6FD76339F4815289FA8796F079C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059958Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:36.154{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E69E6F0FDD5C846E0A3686250BA5FD,SHA256=CB4DCF27133EC1E1D57F412FCE76CE2ADF53C76889462EDFA406D0631728689B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030840Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:36.097{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCE82FC09B6493B7523A84B0819CBFB,SHA256=7F2519872720B8268396F3C6AB6099D1FCA0EA29B49233D2A9D738097F1A8D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059960Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:37.216{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C156BC548572467E634C9C659B72FAB,SHA256=D286684B582AF00CCAD05A11590007FC3F9C22BEC1CC6C485505B31FBFA47C7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059959Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:36.028{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000030842Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:34.915{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030841Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:37.144{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D20578FEAB7DD084F6FA2C51F29F38,SHA256=A5840C3DEE821BA8700A2E91796CCF276D8A1827282C7C597BE62D0C0B70E4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059961Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:38.263{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248B28E74E180EFAD98443FF690F2ABE,SHA256=A6BEE88E95C799223C1C72AA99578DEB4207F64BB947B9A846CF3637A86D47D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030843Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:38.175{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFC9123009942DDA4E40E549F6B55E9,SHA256=2CE06E38F38E9C8036F329C28960D71B7056956F0A53F7E5A5356D59A5AAF13A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059978Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BD7-6092-4909-00000000BA01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059977Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059976Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059975Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059974Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059973Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6BD7-6092-4909-00000000BA01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059972Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.982{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BD7-6092-4909-00000000BA01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059971Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.983{B13AE1A5-6BD7-6092-4909-00000000BA01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059970Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78303ADB905B5CB5FC3DCE741C0D5AE5,SHA256=7703E824EEC51E0B2E381BEF6EE9896D9A795C5AA715A3A0D9692CA5CA1A2F04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059969Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BD7-6092-4809-00000000BA01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059968Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059967Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059966Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059965Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059964Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6BD7-6092-4809-00000000BA01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059963Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.310{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BD7-6092-4809-00000000BA01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059962Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:39.311{B13AE1A5-6BD7-6092-4809-00000000BA01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030844Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:39.191{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B666D326BAEB4A59790ADCA6C954E38,SHA256=5B851B58A0D971708E048E71EA3805393E6419445DEE84B4E4BBEEB16C290C64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059990Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BD8-6092-4A09-00000000BA01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059989Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059988Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059987Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059986Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059985Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6BD8-6092-4A09-00000000BA01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059984Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.654{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BD8-6092-4A09-00000000BA01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059983Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.655{B13AE1A5-6BD8-6092-4A09-00000000BA01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059982Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.435{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB214E55183BED96E792013771032962,SHA256=F2C2C8A785294BAB556A7DB2F67781887D6B41EB63F605FE060CBAC25AE43D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030845Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:40.207{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216FC47065E3B73EC388854F9D7016F3,SHA256=C80D930CCCF0C170D954DAAEF186566665AFEEDB39A2038B176E6BFCB537DE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059981Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCB12985346203266D54C7654298737,SHA256=629D5DC58BD1D1964192652F5062A954882026A00CF984C077D70FC694107DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059980Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63B0649890C452AF70CC762732B5F30,SHA256=0C34D97CE8CDBE8C53D4E93B092A23A5952BB7544F8C94FA6B07CDF610ACD996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059979Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:40.122{B13AE1A5-6BD7-6092-4909-00000000BA01}50405016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060000Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BD9-6092-4B09-00000000BA01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059999Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059998Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059997Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059996Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059995Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6BD9-6092-4B09-00000000BA01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059994Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.857{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BD9-6092-4B09-00000000BA01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000059993Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.858{B13AE1A5-6BD9-6092-4B09-00000000BA01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059992Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCB12985346203266D54C7654298737,SHA256=629D5DC58BD1D1964192652F5062A954882026A00CF984C077D70FC694107DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059991Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.482{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3703E54B819468DE28338292AB178D,SHA256=2779558BEF93F6A4E4FA0AC2784C50646E5E3340456F374135E6A54B469CFB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030846Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:41.254{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387B1638966B1DF5DB8911ACCA2C6392,SHA256=D2AD823F4C40CD5DBF87AE4ADEBF9EFB6F31461593053432943E7C1D57E2743F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060012Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.951{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25DA93ADF2121CC16980E463A09DFF7,SHA256=5C27D307CCF2DA0471344E8B71F2131F5C0B9C76F98C17C68EE1DE3075745C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060011Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.685{B13AE1A5-6BDA-6092-4C09-00000000BA01}12322592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060010Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BDA-6092-4C09-00000000BA01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060009Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060008Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060007Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060006Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060005Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6BDA-6092-4C09-00000000BA01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060004Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.544{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BDA-6092-4C09-00000000BA01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060003Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.545{B13AE1A5-6BDA-6092-4C09-00000000BA01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060002Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.513{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766B7DBC12149C1D5523ACB58B73B65C,SHA256=0B68963FDB967D9006A72A6C1C6CA0FB46EC7F67B2F90539DE92EB792BAC591A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030848Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:42.332{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB1A19A84C34C05049F4B0BB6CBB99C,SHA256=273AE2A1BE1AC89E9AB71D71F2D064C59397A291BA8CF50A2D17D019151EBB9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060001Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:41.998{B13AE1A5-6BD9-6092-4B09-00000000BA01}5496604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030847Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:39.962{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060023Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC32398E17E66C1EAB33CBB57C3EF66,SHA256=BC5D478AF791F58FCC3A7EA74E7AB6454BD62351EA7F8A6A22293B37B3613863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030849Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:43.394{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96962D1BE6D0D09CCAD0530126EC59FD,SHA256=10F31DAADAFC5E64F5EE84BD6887753A09CDB40E653170B9C20BC9AAF20BA356,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060022Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:42.059{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060021Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.372{B13AE1A5-6BDB-6092-4D09-00000000BA01}12365572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060020Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BDB-6092-4D09-00000000BA01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060019Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060018Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060017Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060016Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060015Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6BDB-6092-4D09-00000000BA01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060014Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.216{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BDB-6092-4D09-00000000BA01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060013Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:43.217{B13AE1A5-6BDB-6092-4D09-00000000BA01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000060033Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6BDC-6092-4E09-00000000BA01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060032Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060031Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060030Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060029Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060028Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6BDC-6092-4E09-00000000BA01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060027Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.810{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6BDC-6092-4E09-00000000BA01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060026Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.811{B13AE1A5-6BDC-6092-4E09-00000000BA01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060025Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354F091BF92E38D5945CCCC02FCA4594,SHA256=DEBF52BF86A89778530AFDF4F15A705829BB9C41503D0581ABDA7AB9A2B957C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030850Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:44.457{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7506ED7A943F0C46898F866C0D00FFC8,SHA256=BCE94EF226E241307D4BB10C8854C346230A48D17F323C05B3A77039068097D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060024Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:44.232{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8C6085542E2538759D76FE28E207C0,SHA256=1761321784506E45435A7291FC8C925DEF20CFD7117E0AD8F5C5E30C11BF5729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060035Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:45.826{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66B5FCA401765B020DCC7648DC21B038,SHA256=083C7EBA6A96AA66A6A3A841858745E8F93B2ABA162E918DEF439B054688CED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060034Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:45.732{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1CDB106F071916B2948D0DC6E1679C,SHA256=5620069828679DF992A601B2C5736E3891CD6464C2F4ABA64F413E3628CE53A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030851Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:45.597{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7A9BA6319562BD8D8723984A8B9E7D,SHA256=5614630BB4C6917FD71DA028A75ECC44321A045A3B962BCB45BB5029DC37F31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060036Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:46.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DE38B7D656C64FBAE03FCC225C0EAD,SHA256=F7FA0D11569CEC93105E815367BC441A92C6DB81A1B4AFCD3631358DA6C41290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030852Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:46.597{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF89B308E03FA3F5CD737A69C66C1612,SHA256=2DFD6F6E48E0351D14E8391A9E7E1C053EAD9105662E83670F9C1DB0D0FD8CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030854Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:47.691{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD954F338AB3FD44073D6AA6797FD4D,SHA256=15B3F4EE51510975758229CB63B5915EA5241CE5EB01283B12C9612C97F842A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060037Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:47.779{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F4AF6C9983136DABDECBDEAAB70BEB,SHA256=1A2555272ECC524EC5C4C85DC2BB9509F2B417CECA07CCEFFCD670A82DE6275A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030853Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:45.836{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030855Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:48.785{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F128C84E4F1F533FB72511F0BB6B500,SHA256=190DE80712635E1EFFE9AB1CB2B700B0333314D4FB8C3E1892B4A5F85F39DEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060038Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:48.794{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C01F3410BB6D4E0E98F2CC39A92CEF1,SHA256=0CE4CF454329B44261F893BC1A4E343B6C84FF7FE11392322F38097F635EF54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060040Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:49.810{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FDE4E1A276CF0E9E3512A121AD8F9D,SHA256=1E5B4D7AEACFE1DB2F1998B1F95E1F85E8EE056AFECA970855B942EB84FA4501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030856Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:49.878{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F88D8587FF3B5E722B71B456C45B38,SHA256=DA4F12FECFC727E878D5ACAD8970C2DC3E44D91267F00B0E323D6B61DE7AB69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060039Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:48.106{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030857Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:50.972{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186CBF0569B3B12CC4D948279A67AB91,SHA256=9CD3C1AD390D18631108771B79D26FDE5805243B1C9F9EC8DE5E39F5E8C5A562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060041Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:50.591{B13AE1A5-4718-6092-0B00-00000000BA01}8604296C:\Windows\system32\lsass.exe{B13AE1A5-4716-6092-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000030858Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:51.988{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436DEFF4C9B2AF432382E9C7E061285A,SHA256=4065037D64BDEBAE4DC4C472ECABE0F8BA9C11D36573DAC311C083B6829FF589,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060046Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:50.560{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54103-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000060045Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:50.560{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54103-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 23542300x800000000000000060044Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:51.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9221DF7B21606D11DF96CC68B28D802,SHA256=C3C607484BE0D94BC22CE71E61C29542D822B8D7D1FCCBF09917AEB889E23D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060043Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:51.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28332BA5383944E0DA5461E88BEA8462,SHA256=8CA6ABFF34C6A71A50DDF3D60008582696FCEA1D0791B84765E98A67BDAC91C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060042Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:50.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431C2F09D07F6E53CA2993BB1AE5DDAF,SHA256=30E35D00A450D175A229585D70E7F0055BE9B7D66ED1569F5934B7B40420AF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060047Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:52.044{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547D8DB3A856EA7604D18121875EF700,SHA256=6A2AA50C27ADF7AB4A574650203A9387903110959A3DD74C4476A7CEF941943A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030859Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:50.914{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060048Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:53.091{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206AC3B32D7885A0C3E00D2FDC6B65AE,SHA256=A1D2AB70188FA2428AB56C8E77E1F42B369EF28CD4F4F9E92D4211571AA8D5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030860Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:53.035{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AF45173279628E4731767F9745253E,SHA256=361D66095743434403294611EE0422B1E171B321380326E218BDD19B16AC861E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060051Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:53.152{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060050Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:54.294{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9221DF7B21606D11DF96CC68B28D802,SHA256=C3C607484BE0D94BC22CE71E61C29542D822B8D7D1FCCBF09917AEB889E23D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060049Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:54.107{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D935A77D40512C2E56D5041E089102,SHA256=14D54262965CF04C6B3A21AC824D32CA5FE6DF17DCF5149F7755BA902DE9B682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030861Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:54.240{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7A21E4F2366F50784502C6E9154BB2,SHA256=8D87707B07CA290422BD32699FB23CAA3DF2CF7365471183520C92A8B3DEB982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030862Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:55.255{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA7FAC1CB09FEFFD8DA67524CD9B1D,SHA256=414DE2718A8BFE273D447240F2EED258021559DECB4E09FFB3F20CF45FC88C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060052Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:55.122{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0741E59A2F181F5D7930D3F99C8298,SHA256=C8442E488C5022181438FBC3784F08850F60F018A7E383953F027174B05E1074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030863Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:56.269{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF76D7C7EB6B2C391AA1687344255A6D,SHA256=EBC03FEB465B7456DC536BDEA804EC3F5EBC0EBF0CB417F5597463C0448C5EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060054Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:56.654{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C050B6FB4F4C1B94962E96BF392A482,SHA256=4F0B27FE50E6787DF5664896390269CAD5DDC303E8ADEFE227547C44ADB64B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060053Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:56.138{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4C7B09A015D516F1F659EE381C4C35,SHA256=438214F655DCEB08DC325829BB0445A9A723EC01AA43D4AC0B035A67C91CDD9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060055Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:57.154{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851D330549A8E788ED4C916E7189581A,SHA256=92F5FC5B9FB517F3F2AB713916447436B18DE32C162E7ED65A71212FD2CB0281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030864Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:57.331{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE2C4FA72C723DC1309C9ABF2F10D0F,SHA256=446169BF706B7E022E192FB06344E228E9DE583EF056A8079A72CCC3A7684B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060056Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:58.169{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99AD5FD0908C5DABEF756EF977C91A8,SHA256=29D54B9495E5336C963C501D8E7401987F61C1C054566F8D7F17A60A89304C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030866Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:58.378{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD10CC116ADDD8553AF60FB0CB53E69,SHA256=2F4C537A4FE18B51B8AE86785FF48BDCA8F1E9E9CB7EEDE5B84FA652780E3266,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030865Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:55.946{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51603-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030867Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:56:59.425{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7557EBABB786221193AE555612842F2,SHA256=25012991BF95CF36F4E6895F1F08B35C78B2D06A834980A82C875178C031949A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060057Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:59.185{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42ED99B5E33C07E2874E7EF7C3CE2004,SHA256=9AF97F974A149A5DE246A7C9C16C391115653F163FFBE81D560DA2B51F61F096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030868Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:00.441{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530C15AFD53C5F20A1DD92712DBBEB6A,SHA256=DCD6EAB8FA8553180F5B20858E8ED790D79E20217AF7F93D61E1BE609730A9E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060059Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:56:58.199{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060058Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:00.185{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7444D65F6FD43B09E1E328D4D098450,SHA256=401B27B082C8491B11B12D6E9E6B0720B1D0D257CA733ED294AE54CCC1335CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060060Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:01.201{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BA9F1D0C8B0C5AA0C099F180748D34,SHA256=69F0166E96A53CB4F137F7A1C61486185F8CDC18BC04D4F8D632ADF4547B65C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030869Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:01.456{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B552C0714E5040B6023304274068448B,SHA256=A808D4A40FADC02122023360C1E8262C83C502E70CA9317C386BF48883B7C156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060063Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:02.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8CDDDBFE69EBBF16916A710003577B,SHA256=1215C92DFACEEE49861DA1E3A9906B45415438CD813537B3A914B621D5B6672E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060062Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:02.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EACA52681835FDF950DEB7368DAD65D,SHA256=35BC4BA89A1FB0BF63ED9ACC0BF1A283B4E6390168A1F5D1A5E7BDB477316E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060061Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:02.216{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01124C668C9DA5C2C60B20BFB1B57D0F,SHA256=35532D08B76C6241E4ED83A105218CC037ECA9ECFCC620CA7E7046EA6FB86C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030871Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:00.977{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030870Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:02.456{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EBC5B87C5CB6670EDB5D9BFFBEC097,SHA256=65DCBE9B8AFECCAE8EBF4A5F2F278A7D42F48C501390B1708F1F86E4F80EADBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030872Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:03.472{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED9BEF732C9D43BBF8AB6D4EB03E090,SHA256=44F352D5504D8F8135D5A28ACD28623CDCA3EA639B0C062E9912D22BA99BF627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060064Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:03.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8395BF43FC43C435379C484B1623BE7,SHA256=569B15CE8072D9F77EDB430502F290530FB1703AF731341E551D840A98BB44A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030873Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:04.534{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D10A8F161DA823B5D231EF2F2B9F481,SHA256=B8C2CF2845C737F6B3F0B54821DB97E716D6D9EB9CFAB73A62B02EE432D960C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060065Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:04.263{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC24CE2FFD09926691B624E8D3F9506D,SHA256=B9E356CB28A2A7B164C422D051BBBC70C0D710AAD26F5647F5177E10DA5A7577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030874Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:05.632{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC5B42004DE236788041B5D777819CD,SHA256=594778AE4B23ACD4B16430A24CEB7BCDCE1937DFA31A4A5B5E6E388B93DDBCC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060067Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:04.215{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060066Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:05.263{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4318874571F641565C196CE3BE1C4B2,SHA256=97807750F56AC1EF98F50DF28682207DC1642792088BA0F76887B22B7F587DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060068Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:06.279{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0665A51B37B67F28A9FA7F3FB66A6CBE,SHA256=1D18792695018387206260CCECD1ED3EAD57C1A140B9C31FEBEC3EFD84F036AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030875Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:06.644{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD28BE53FA06BBBCBCB77D158039CE1,SHA256=933509C84A664BC4CDA59B3D20E401AE031850BCD6BB61113825B35CF19A9EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030877Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:05.992{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030876Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:07.675{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE066E1599BEF01306EC4C844FD73B43,SHA256=989E099690BA6BF62A200EAE502E61DC0F6D61BB499769C67D914024689C491F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060069Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:07.279{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1B7B895355594108F5B0B597BD8E5B,SHA256=008A3460C117CBF62795E10852254F24C45FC56405A73B6296E47CC964B83F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030878Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:08.675{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC67E434DFC37DE4CF08C7F6F8ADA2C6,SHA256=2C477DC30C59034B1418BD1187A931E496595D88EBB3C14649774974C8429093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060070Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:08.294{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54305E8090246BFEA3B0011311C6EF15,SHA256=1D624C52A66A5DF972A64F1176D8C65BBDE68A3379B51421BC9476CAFE5DB357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030879Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:09.706{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378FBFDB90871730EA49FE728AD64743,SHA256=E64AE266F8D1644A52BEBD0B99C32B8F6B6475C2F4AB59070D6A008C58595534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060071Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:09.310{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B7B5E23D37A2CB813A743ADE9C4771,SHA256=A323F3BC6E80D50E3CC2C0FB1DCB75782C236CC2775CDDF9F22750D990BC181B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030880Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:10.737{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7B9971280D25434C1C646D050A8A5A,SHA256=0CBC59C5269B6EBA962B86D050BCDB4D091EC3B231AAD5C5860030365E30F0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060072Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:10.326{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF358CF9139660D0D52B558573C4946F,SHA256=893209694977872683E0467F55C5A977080D6CE25F80AD4AAAF11E4DA432F753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030895Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.893{04D9AEC0-6BF7-6092-DF04-00000000BC01}21723016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030894Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.800{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C133B5F00EFC5CFD873A506E7641D601,SHA256=CF213BC67BB1097F69CFBB8BB4D615CB5C1D9612B4E79E4B8ABA4DB94C8F9136,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060074Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:10.027{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060073Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:11.341{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF53DC2D1385E96A959033CFF7489313,SHA256=89108F01731CF4D501FAAAD1E3D62F7E0212BC6878CC261449563F3B959A27DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030893Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BF7-6092-DF04-00000000BC01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030892Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030891Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030890Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030889Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030888Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030887Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030886Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030885Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030884Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030883Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BF7-6092-DF04-00000000BC01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030882Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.753{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BF7-6092-DF04-00000000BC01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030881Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.754{04D9AEC0-6BF7-6092-DF04-00000000BC01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030925Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.909{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A5B94F3953EC841F8F90B3AE9F2B75,SHA256=D4B13D576E0C5EF75B3D7DD1ACC504A9A5AEB403A615377AB88A3364E1B984C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030924Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:11.023{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51606-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060075Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:12.357{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D2B20DE9D15265172DB6B328FB8B1B,SHA256=1517D1E60767205046739AC9F77EFD8A8267E63CF6ECFE08D556EBC3BBE798E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030923Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BF8-6092-E104-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030922Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030921Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030920Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030919Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030918Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030917Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030916Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030915Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030914Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030913Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BF8-6092-E104-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030912Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.878{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BF8-6092-E104-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030911Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.879{04D9AEC0-6BF8-6092-E104-00000000BC01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030910Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.784{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439983CD10C5C511D6342D5B99B111E4,SHA256=37578DCC9A89D2F85EC9D028B8EDB42F6D4250584CA5093A85CBCE9262B5F4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030909Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.784{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A35135F0003877254D23448737F7126,SHA256=DAB145FFDC3878DE4D5668FF994D87D770180B98379F9800910B8339C0F9234F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030908Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BF8-6092-E004-00000000BC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030907Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030906Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030905Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030904Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030903Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030902Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030901Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030900Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030899Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030898Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6BF8-6092-E004-00000000BC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030897Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.253{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BF8-6092-E004-00000000BC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030896Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:12.255{04D9AEC0-6BF8-6092-E004-00000000BC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000060079Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:13.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060078Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:13.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060077Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:13.701{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060076Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:13.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61817930767A8F55CBFC3620B50C4B85,SHA256=E50928FD16C6E963A43036D2F8498D96AEEBD7F0DB537D3054FFEECE3D7E2EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030926Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:13.940{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439983CD10C5C511D6342D5B99B111E4,SHA256=37578DCC9A89D2F85EC9D028B8EDB42F6D4250584CA5093A85CBCE9262B5F4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060080Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:14.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7886FA983E1FFE24892A7E94BBE2A63,SHA256=DFE4623850D1C4AB0B1ED0259C946456C5FF14E7BDB9B5D1A7093F39F4CE58D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030942Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.893{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030941Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.143{04D9AEC0-6BFA-6092-E204-00000000BC01}28401236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030940Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.050{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F09C36E203509F234D34A5E71E934B,SHA256=22F2C3BE9211CE28EAE5CBC85DF5E7DD32DE61CEADFEA237F0DEE03157687688,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030939Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BFA-6092-E204-00000000BC01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030938Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030937Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030936Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030935Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030934Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030933Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030932Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030931Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030930Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030929Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BFA-6092-E204-00000000BC01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030928Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.003{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BFA-6092-E204-00000000BC01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030927Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.004{04D9AEC0-6BFA-6092-E204-00000000BC01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060081Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:15.404{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84F06358F1C7F5D0CDF2A3CDB81F754,SHA256=93219EB60D718AFBF469BEFA6A2E69952B95961B9D96196BB51575FFCCBEED2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030971Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BFB-6092-E404-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030970Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030969Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030968Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030967Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030966Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030965Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030964Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030963Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030962Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030961Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6BFB-6092-E404-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030960Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.878{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BFB-6092-E404-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030959Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.879{04D9AEC0-6BFB-6092-E404-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030958Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.347{04D9AEC0-6BFB-6092-E304-00000000BC01}22242756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030957Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.237{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C667B723D04637633CDDFE6C10918D,SHA256=EA43E4774DD2F006FD9894A8D17830B14D2EB86968042C03182D1E973AEE89EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030956Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BFB-6092-E304-00000000BC01}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030955Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030954Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030953Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030952Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030951Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030950Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030949Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030948Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030947Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030946Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6BFB-6092-E304-00000000BC01}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030945Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.206{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BFB-6092-E304-00000000BC01}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030944Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.207{04D9AEC0-6BFB-6092-E304-00000000BC01}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030943Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:15.112{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D795C2C62D27E0F5221A9BC6D6BDEAC2,SHA256=3213B5C8CAA587F59F041F5058AFF76B632618BAC5F5B5F888A9533662C2E92C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060083Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:15.027{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060082Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:16.404{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920291000DCF73DA2D947FC0BDB96E3C,SHA256=076587AA95A9330CD6C441B7214B07576C38F20948751C1E760D13D30C1644CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030988Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6BFC-6092-E504-00000000BC01}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030987Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030986Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030985Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030984Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030983Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030982Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030981Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030980Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030979Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030978Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6BFC-6092-E504-00000000BC01}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030977Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.393{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6BFC-6092-E504-00000000BC01}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030976Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.395{04D9AEC0-6BFC-6092-E504-00000000BC01}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030975Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.253{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D418E9406878482A7023112D04A058,SHA256=4D32CD15251016D8A5FA335ABC8055DA24D9BE82E6A33D3B9E02A634CB393490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030974Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.253{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C2B912205037B2076EFA043F7893971,SHA256=763A16E85690E7BF34F96821429C9BD11A4D8D82E722D4BA820E3D589D57F4E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030973Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:14.664{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51607-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000030972Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.003{04D9AEC0-6BFB-6092-E404-00000000BC01}34041472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060084Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:17.419{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2743CA61D283BE4057AC82BA085F881,SHA256=FE4A9E6B27DBB629BEDE75838D5CDCA39621EBE463E429DC1DDF10FBAF067779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030990Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:17.440{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9CC22B96163FC6D8A65BD56F5BEF5BD,SHA256=0042A63E5DEF00C162A37BBC6D906F6FAB09D3494B9A3CCEC65AB473AB229CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030989Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:17.347{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17A94BE6FD31DB6965EC4A87F05D445,SHA256=5C6527CFBF91465D2AD10C66A5788168CE2D7D074D575207D55050578828E870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060085Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:18.435{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E7C2194E2D72CE065D6109EF0CBB63,SHA256=35000C3D5781D5AF1EF2CFF268EEF7F1CBF2E56A4E7315A576DFFB29CDE99FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030992Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:18.362{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DE4E17BAC95AD2FFF512C74B2AB4A7,SHA256=DA959EF8F80299074FDDA9F774B9E2ACE138F4745012DF413025B3387A5018B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030991Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:16.039{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51608-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030993Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:19.440{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7FF6F423BE31BD2B3748DB5208AA64,SHA256=899D31D9A048818491937FB85E19E1BFE02B6DA2BED10394BDC98DD7A0EAF440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060086Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:19.450{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D611DA0B963CCEDC1ABDB8F4536F5B72,SHA256=5ABEC78CEA71B0B903EBDB95431EBB1B432125422ECA793570B9CB46FC007060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060087Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:20.466{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33B9781A2552F4609F51EB612F13C11,SHA256=451FEDD3D53BEF8802991ABFA1777A10E2A297B7EA2DF4B704C697DC85E26A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030994Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:20.440{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73A3E449C0AA78219C2603E905C1866,SHA256=0372F61C3433E00A6AEC30208B6C731163D7A9F768EC9DFED496DFBD75C3E562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060088Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:21.482{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E8660678FF222E44365F857D336354,SHA256=AFE167B0087BF1379C51CA4C7371F20D0D63D14136147263D31086DDACA6E6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030995Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:21.471{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF893E8DC6E0927C59C9E28162AA092,SHA256=326FF49A0DA7F745E05EAAD4D968C30797650D6D98AD0C6D24CC58114ED7A676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060090Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:22.497{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4402CE55D0C204A3A36950FD789C09F3,SHA256=D68762EB3163271362A57BB9266908603F141AD2CEF215D753C6B088E54053D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030996Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:22.518{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3EB500AE0964A8E357A4DF80C60970,SHA256=B1CA7C5B7F8C576D6A7C43EA203D11005A8973A91FEB8DA407D1B18B288C086A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060089Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:20.042{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030998Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:23.596{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C566BAC86C3F1134FC5AB5E014F6587B,SHA256=12A5F623722174BE0132C2929229D33D1B29E8E48AD77B2D4263E4AB1E325881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060091Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:23.513{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5A010903FDB086337F3402FF20FB5E,SHA256=302EC15A39E05C7171DCE165BE441E974466DA6A00743BA811BA49D4F39E9DC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030997Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:21.851{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030999Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:24.612{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA4B03E3F89F62C675E403834E5D0EF,SHA256=FBAEBB02ED676681C76FC42D3068A3E8B192D0D4F00DEC2F62B460072ACBB70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060092Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:24.513{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FEE737C4720BB47FAA2576A05A526F,SHA256=C86E7A4457B00F66FE1B0AF5F8B389D34B020AE53D5470654B7A97256BA1413F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060094Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:25.529{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD49F0792619863FAB01713CD991549,SHA256=EDC10A74C758CC3585F3C30FAE334DC0F4EF27B125E3AF131E320E9C9DE289AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031010Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:25.643{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2CF4E7F9D56BA02592158D918E328E,SHA256=605542407672FC1522555A024467D9577E90C036F88A0C4DC2238379FA2E0240,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031009Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000031008Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0087a269) 13241300x800000000000000031007Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418c-0xaad66221) 13241300x800000000000000031006Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74195-0x0c9aca21) 13241300x800000000000000031005Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419d-0x6e5f3221) 13241300x800000000000000031004Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000031003Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0087a269) 13241300x800000000000000031002Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418c-0xaad66221) 13241300x800000000000000031001Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74195-0x0c9aca21) 13241300x800000000000000031000Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:57:25.393{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419d-0x6e5f3221) 23542300x800000000000000060093Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:25.138{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060097Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:26.857{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC2119AADFB5587C7EAAB5F02EE01BA,SHA256=1C4B1DC0DAD7A66AE39B1318F21DB496E4BA42FE3A48431F67EFD0C9CB8E4FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060096Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:26.857{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8CDDDBFE69EBBF16916A710003577B,SHA256=1215C92DFACEEE49861DA1E3A9906B45415438CD813537B3A914B621D5B6672E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060095Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:26.544{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DC987401E983842AE0A478DAB2878B,SHA256=2E689BA847884195028399ABDF80AA36641BC230017C6079BDEA749EF4CD1DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031012Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:26.659{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AAC65D522158909195ABA735774CAC,SHA256=26B21FD198801ECA949B9AF5CAEAEBA306790EFBD0FA4945555B77BE8327EEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031011Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:26.049{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=27CE029DFA6FDD6086FF1A3B034B8261,SHA256=975DA4FFE2C00AC7C7A182F9BBCA5B43D8E09B28375F9BE23D13F0E30AF6E928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031013Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:27.721{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94CA2B2F73C98B51E803AD3DDD7B1FF,SHA256=4675A6B50961EFFC3DA2461F37A057FC0B7F19F89A82BB339720A1DAC1F30188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060101Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:27.544{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9973DE6AC78DC8C53163FBA47133CE36,SHA256=2FCF1CA41E8259B58B964722E09F85384F7E442503AE94B64FA8029F89F1EADF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060100Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:25.793{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54111-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000060099Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:25.793{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54111-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000060098Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:25.089{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000031015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:26.898{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51610-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031014Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:28.753{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A26A8745267B9A79B92B0CFD89B995,SHA256=EEDC4DC7399FFDECB830938DFFCEC199C00129DD6C6587C8C8461AB5D63A53D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060103Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:28.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F560618F4F37D8D0885592EC95F93F,SHA256=AFC94E358FC5B8F07D380DE51C22D202CE0C1B853328C8598370D2B4D07708B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060102Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:26.089{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060104Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:29.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96EE9DE9C3B9D11AB469C069E390486,SHA256=3F4CC9DBF670A33E7566D5CF13021E11C8BAA3731020380C5A205F4E87E9D0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:29.768{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC2781C08FA479F3B5D9EF1BFF0EB0D,SHA256=1778D3A0041003174EC9E8147E1F59DEC49967A4D4342C16E4FE9E7EE15D365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060105Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:30.575{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33040F0BC2F0A9BF27A80E6406CB55A0,SHA256=10ED5801BF088A31B9A24E05A4E9293B760D189A24F9ABAAE626C419A8D035E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:30.784{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DF577928AE1D777E1D35B8870CA2CF,SHA256=99FE69F7DB668E20861FC632F9106E789BC7B818038CC918A722264E4229ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:31.799{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1542FCB2F52DAEEC3205CBC241803CB4,SHA256=4EF8962775C8E226BF6CF075177870B540F36E679E688A59EBF1B3DE1B4F4DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060106Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:31.591{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F53B93E5EDFCAE34D396B3C7041C63,SHA256=303382AD383C25D3A9ADD468045ACFEE63213E1B5B53538247CF8EEFE0F1ACFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:32.815{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F2ACBFDC49F4B3C9F2217709A3ED35,SHA256=6AAE2C8516AE70C3565B3E66FB73D03B258F9416BCF2300B54F8BB30B4EF3446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060107Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:32.591{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE76BBED4E7130F02E2CC31096E6E873,SHA256=47C80EEFE022C19EDB4F89E443E0B0B7031C7E9EF659DCF46EF8CBCA3749001D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060109Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:33.607{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9ECE44EED68062D07086B4FB1874F9,SHA256=51091EC02D74B8ACF4F457912052D63D5DA8A72FB2C83CDF6B32E708583A5932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:33.831{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F56FE3791957E158423490A2D59EE5,SHA256=A6FEB69AF406752F462C0387B02CD06CB65A7CFCB31D42E9E477CB26053C0868,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060108Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:32.105{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060110Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:34.622{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB72A53E2B2DD2D66B888CA7D02FD56,SHA256=4D38F2AE5726C2D75BF822A90D4990351433744E2211FD56E6192E3DED1B0A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:34.846{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2098D9D369B86FFCA130EA470A3488CA,SHA256=4DDB38D7171B8B76A5BC3C1A389A233A65FD80EB0D5FBF5639D94E37607E4AA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:31.913{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51611-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:35.862{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E25F9D9094B7552E9D80C94B5A8055,SHA256=D7475AF1B2E63BE65CAFC580FCB7279F0D122D20C3B2EC8D182AD4C7EC92AD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060111Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:35.638{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3642624CA128CBBA25ABF161668C751B,SHA256=94A4E207F99F7FFD06AEE7FF62CB87FE68B2F707A039ABE722CE921B2555933C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:36.877{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466FE8A722F99B780EC5BCA88BFC8C2,SHA256=B7228AD63B6F220C36D96E8DEFE196049266AF6DF6D8A47D49000B9BF53CB7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060112Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:36.654{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B671E5068C82FEC31164DEBF7BB0F3,SHA256=CB8479CBAC4D99A53A8E62CFDB3AC6ECDC5F81643FCEB4BA71EC3361B0C60B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:37.893{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740BD4AF557EE4E267C9A70CDA6766AA,SHA256=555E61CAE502E2FC17B254E6451CA50362ABAF689D5C17C408E6587A9FD9EC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060113Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:37.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BCBD0B86ED0FAEAED6461AB6FEB7C3,SHA256=0275238CB8A8A2C506227292A26E2FA59236DD786A369A732811F39D1D36EE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060115Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:37.120{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060114Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:38.685{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC20AB83CB700F39A73D4029DF84F16,SHA256=9E27C3A0918C43B14CF459319E6C783CE11B62D600B3F1785816373853DFB03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:38.909{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E029FCBD2360818575976FC0FF27C8,SHA256=8895546432A0C6542E84CD255C5ADD05E1BC4AE10E94FBCE9DB871AFF449EF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:39.924{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796B5386E7E3747511E3C2F4EDD07280,SHA256=0C1736BF3BC16C66772548BEE3EB9963AD1632332956C35B2B25F9DC09413680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060124Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.700{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF3BBEE33D07CF9BF1E660A6240ABE8,SHA256=F54686F0CEB0CB84E15A4F419AB49703EBF71B164BCFFC6C1BEE85B1FD86873E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060123Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C13-6092-4F09-00000000BA01}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060122Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060121Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060120Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060119Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060118Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C13-6092-4F09-00000000BA01}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060117Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.325{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C13-6092-4F09-00000000BA01}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060116Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.326{B13AE1A5-6C13-6092-4F09-00000000BA01}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:36.991{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51612-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:40.924{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AEE7E6B1867601448D3F8F24991719,SHA256=5690E6C252D28F2AE2F89C0C3AF283ABCE4F81DBA4BF8A7807798FB2B5CAB488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060144Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA47858BBD57926502D7EF141B036E1A,SHA256=B2B98A9EFC7BA2F1723D7707AAA95E222AAD7451BD1BA89B6A87FD8FAD758251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060143Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C14-6092-5109-00000000BA01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060142Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060141Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060140Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060139Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060138Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6C14-6092-5109-00000000BA01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060137Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.513{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C14-6092-5109-00000000BA01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060136Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.514{B13AE1A5-6C14-6092-5109-00000000BA01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060135Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8524135287A93989EAFB1312BB668F,SHA256=64267CB79587AF84674C3A72D8CA785582B14F89AC3BAA02EFAC25EB9960F467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060134Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC2119AADFB5587C7EAAB5F02EE01BA,SHA256=1C4B1DC0DAD7A66AE39B1318F21DB496E4BA42FE3A48431F67EFD0C9CB8E4FE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060133Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:40.138{B13AE1A5-6C13-6092-5009-00000000BA01}69404368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060132Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C13-6092-5009-00000000BA01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060131Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060130Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060129Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060128Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060127Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C13-6092-5009-00000000BA01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060126Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.997{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C13-6092-5009-00000000BA01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060125Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:39.998{B13AE1A5-6C13-6092-5009-00000000BA01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:41.940{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C484C42C05BB58C1DA605263874118F,SHA256=CF85EF5997E574FAD304601EE384C403D27B3535A3444D3D5EFD1D8AD31DDEF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060154Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C15-6092-5209-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060153Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060152Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060151Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060150Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060149Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C15-6092-5209-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060148Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C15-6092-5209-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060147Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.857{B13AE1A5-6C15-6092-5209-00000000BA01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060146Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.732{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DD6E3FFD072AF4BDEB96F583B6521E,SHA256=1DE266E850E1D0B95723253FE9E08DED77212FEED32E53641D261FF50530F1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060145Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8524135287A93989EAFB1312BB668F,SHA256=64267CB79587AF84674C3A72D8CA785582B14F89AC3BAA02EFAC25EB9960F467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060166Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.904{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF2F8355D0501A57596931F33D6FE78,SHA256=33F64C9A8DFFAD871FF6F7D3ED5839BD3936FD2F433C2282A39E3BDE142CD6D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060165Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF79E1A9CAE97889C5C920E73DFF037A,SHA256=C6CE8A47975C9BF79A6C923A20E99982E93466B1132DF3822289D80522162172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:42.955{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDE38C2F9249326FD21C716FC1C60F3,SHA256=26F2A817E546FA13E1E044FA97D35B30F834207DC49A994FE576EFC819D32BBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060164Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.700{B13AE1A5-6C16-6092-5309-00000000BA01}70803676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060163Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C16-6092-5309-00000000BA01}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060162Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060161Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060160Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060159Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060158Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6C16-6092-5309-00000000BA01}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060157Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.560{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C16-6092-5309-00000000BA01}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060156Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.561{B13AE1A5-6C16-6092-5309-00000000BA01}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000060155Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:41.997{B13AE1A5-6C15-6092-5209-00000000BA01}56447364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:43.971{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61115F2BF27A511C9F687125F395E1C8,SHA256=D51D3B4B840FBA4DCE596C613728B7246D660BF6AD20FAC8D63FB36C177286AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060177Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.794{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA091989897258E35BA0D7A68F707C7,SHA256=8F4C4228F965D436E17F77244DB46D494234FACA78647118E333813F736BBF12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060176Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:42.136{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060175Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.247{B13AE1A5-6C17-6092-5409-00000000BA01}64206760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060174Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C17-6092-5409-00000000BA01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060173Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060172Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060171Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060170Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060169Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6C17-6092-5409-00000000BA01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060168Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.091{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C17-6092-5409-00000000BA01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060167Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:43.093{B13AE1A5-6C17-6092-5409-00000000BA01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:44.987{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B2A97358EB575A351334E3A3E646B3,SHA256=9144F6A176C9C62CE16F6A7FF1400C33ECFBDC8A598701373D9FFCE84879A4FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060187Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C18-6092-5509-00000000BA01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060186Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060185Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060184Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060183Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-4719-6092-0C00-00000000BA01}6085384C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060182Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C18-6092-5509-00000000BA01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060181Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C18-6092-5509-00000000BA01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060180Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.810{B13AE1A5-6C18-6092-5509-00000000BA01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060179Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.794{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421C6C36F069AF81F67B337C26104B74,SHA256=2952CAEE54014FC549A97F6ED464A556FD80D3398BC48F0FC1F835D04F52A19A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:43.038{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51613-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060178Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:44.107{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=629A81A06962B2365A61423C4ADA739B,SHA256=04D13973A1EFFE4015C5A316ACDB0109B2B86B0D5C71A017E6E485A701BB65E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060189Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:45.857{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF318123D406DCD429ECF294B3C14142,SHA256=BDB9B3C47498BCBB4F7C49F4902A259C9EC16721ABDDFF2F2FDBBD6A887F248B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060188Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:45.810{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495A6BD7B739A8992F520253931E8694,SHA256=209215D0A48A0F0F6300C508C2365F17A2A7BEF6C33432310482FA857EE1F93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060190Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:46.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF8609526810F94B34D48BF13194B5B,SHA256=65AF8C62C35A3DE44008646E84C116C6FA35F0BEFB11BB0B08D5B3A02CA30AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:46.002{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3EDE4CB956B8C68006AC8D3DE6A4CF,SHA256=6804DAE0A9BEA9BE81EAEBA5239231D982476A24AF81DB18D4E9E60936A48115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060191Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:47.903{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0892896CD14999F7C28DA572F8BFE18A,SHA256=66437BAC0A394C2BEA21B58DA66A45FBB4972F5530D96BC408F82F4BDD0DEB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:47.018{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87E7F30DD6A56A129D80492AF43A203,SHA256=AE5184D6514AE08C164984A9C921C92C735899DB73901F5D7EA90B654471BDE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060192Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:48.982{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3944F0B3398A449F27145EA96E5EEC41,SHA256=19A7BF1CB5EE90BDB8290F03DC6C48BB1FA780D3EA9BA4A19B8BFB83882C4247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:48.080{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5DFDAD336FC38244FDDACFB9649363,SHA256=1799A55796D7A733019D1037D14DA49C4EA8FE6EDFA3787BFCD29955BAEC837B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:49.096{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CBDA7225F641F7FB2B793B1560136F,SHA256=6BF18C1162F32F5EA7F0AECA53A528C11AA0C171E1DA1191C094CA90817DBF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:50.174{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3C2EF84C05A1EE97158F4BA19B018A,SHA256=894EF5DB6785C4A40827CB63ED682E4E3E8BBF46AC64F2AE0C64FE1DE930CE90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060194Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:48.136{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060193Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:50.044{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992A10671F753729CB5C122ED9E665C1,SHA256=5211DCB5449B828CEC568C73E1B5F810B67A34155E3F4F6BEB06108572CF5A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:51.268{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2B3570AB05318CA04AC2B995D98B4,SHA256=1C500EB0C5ADDD334ED8BD80092E24B19AA836128404ED20798001B68ED2C0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060195Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:51.091{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8AB3BB2C9146A111025274FEDCF001,SHA256=55510CE614FBC32962A5DA0CE44F451B17A469B8E7CC68C5B999994CF5F8D614,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:48.882{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51614-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:52.315{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6A3BC28B0119C137B5D9B517BC7BF7,SHA256=8D776961FF45D6D0F302120B5EAF5A0C3A7CA54148BAE30ED9AED645A2C17F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060196Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:52.122{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E55E5B54310D086C44560EFFB1E948C,SHA256=D7AFF9E2E86C15919D1E916738927E6CBA7689E623396748A239E34F55600B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060197Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:53.138{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FDF322383DD4404D3966534069DB5A,SHA256=B45A544CAC976147CFE58599EE41589B470F4AECB80C8D5EB71CF423DE63A8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:53.408{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452AF4D19ACE06AD78083EB2CF8F8CB3,SHA256=FF0231C9C643B1776D60129F1940AD5BAF71652E6B83DCCEC0481B2DEF046521,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060199Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:53.167{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060198Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:54.216{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B4FAF1F0A09BBB02F821ACFCE95858,SHA256=304E45CB368BA8136D903D82AFA956109042AA8F053433DC136BE18F733D488C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:54.439{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A011DD01EAFBFFCD24B0624852F6CBA,SHA256=A39854966B63299DCD938678241B29FC721152D81D95DBC251A165A36D10FDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060200Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:55.357{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BF84199716560F6FFF1616E552E3A0,SHA256=805B90309DAD392D774C3341D6329A0638F4BC5A8EF6402071DAE082EB9C7FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:55.486{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64E0625000C3EED010D8D9415AE9229,SHA256=071755D2F5DFA6CB545904F97C3C1A09B145ED20BCE11D56A84694F743E39E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:56.549{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E08AB5835E73BAE44332243BCD79B,SHA256=D7A061A1C9067D449E6DA648D66F939C654941F62AEFC31A632BEF88751A6CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060202Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:56.669{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=41B406C77A9C2C5CB6E42A67CC696BA4,SHA256=A2E3B1784819C322BBD18FF2A51BE7432BF457F783303A4A2A16B8F5250B758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060201Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:56.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A6F4F674129168FB6138BD024E880D,SHA256=0A80F3F6F0A4E3E860034DD67FE1A875E82736034DB45F042096CF14F5569CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:53.929{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51615-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:57.611{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B9B5007D9F9FCF98B3AC28E272E053,SHA256=DFE17CC6192DEC32E4C04FCE9036975AECB6140BA53283DA1900E388DE35601F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060203Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:57.403{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D929167E35E68D3DB5FF9DB247A096A,SHA256=539115C2C69621288ED97DDD193890E1E54B73B8AF56CDC82265185D1288C037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:58.721{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB0B63C07A4CBB65B48430AF2AF684E,SHA256=953C9398F9B6425DA3429BF0F4A6394005BC09C62600BEB3477F9346EAF0370C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060204Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:58.482{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B1EAE07CAE495FB4F04B4E6CDE0D27,SHA256=9ABC6655DDFFFA43F0DFA318389B7163655A3F14D7B6482A7052C4FFA7B18C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060205Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:59.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB85534381E03CA88E9E10F9D715FBD4,SHA256=7B719A1056B60C2B7BDD33E1846396E85F92A4223631667442BB92F2AB2511A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:59.752{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6BFE18F9D94429E04752D3F9C151F6,SHA256=F846B1AF90309A93DF52AAB016C12C366EDFCE97227F43F41A74C0D6FEC03F50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060207Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:57:59.136{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060206Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:00.575{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2E912B8AD60AF2573C11E8B7671519,SHA256=DFB04ED9B0155A567E0B23B25D79E1C51E257AAFD0120AE829E2F04BF5C9D7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:00.767{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A665AA6BF16AB262E9853E7BD2802E3,SHA256=51DF3D887B76A6D73B73E824A8B9AF329077CC6DC8D40077559915A981227498,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:57:59.022{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51616-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060208Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:01.653{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9F9503B76A26DF28067F8AB1916020,SHA256=6A8EAFE4BA6C1C72A22A6CC52FEE6B6F3F647DF01A691AA38655BC13901E153B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:01.814{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5E394B25070D3C2A7CDA83B1C3FB7F,SHA256=8944FC7D67269FD3EE13FEE1F639C19F97C7079688EBDC135AE7AE146AFC3BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:02.892{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95FC94E5A89180AA26E094DF449A381,SHA256=52068080D17146A3F9D90275C5A129896F04F2893C85F926743169AE8B4E413A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060209Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:02.700{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631914C56F72F2AD5CEA17EB7779D061,SHA256=2D1027FBE015A3F3B91E4F376F64F569E9D0E370C9DA9D92DDC1A0555A6DD5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:03.955{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28738F71A73F5CC99D5899247CD3A808,SHA256=D3FBB4FB2948476BE7B1EB7BA063B90C3C8ABBBE6517D9276EA1840DC23F4980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060210Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:03.747{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F1C12CCC74A3D5A6C89A20BA5BD5FE,SHA256=2A4C16C33585B9A981EA798611322EE49E92EFCCC09513176FBCAA15D379A579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:04.986{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE44F84460C0C6E3353A84A87290484F,SHA256=10EBD44E5819823399E0D516B5579C810499164659F5A6EA7756718345B869A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060211Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:04.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B4AC09B7A298733F5E9405EB270988,SHA256=D226E6A03CDFE1FA726E118FFA3DFC833D12D0DDB12B0A3B898F4A9BD4D6DEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060212Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:05.841{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2968F025D83F28FD0E785C8B4025799,SHA256=1133ED8B2B3558F61A1500FD79B435485363A56598C635CE1305FF7E514052D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:58:05.658{04D9AEC0-4953-6092-1100-00000000BC01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74195-0x24f370e4) 354300x800000000000000060213Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:04.167{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:04.834{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51617-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:06.002{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BF044272A84764F95B68E7C682BC6E,SHA256=F804AA51CDDFB653722F7308C1D5C3FF5EAEE7549559256B165FB1A67CAF250A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060214Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:06.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18475DCCE433A57D4F9EE6BC27836D6,SHA256=23EE5591AE36015FF2EE2D8F838B98FA658AD74F810F912341A169B441F19716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:07.033{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2235EB3CE7868F4223A2105C507A978,SHA256=46A09AB186EBEF0A130B8A784ED53BBD9998228055E74D1A9144BB16AD846396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060215Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:08.013{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA68725825EAF2C9AEEC82CEAB1146F,SHA256=AB00FF5569CD1163AE6F685211D2E1F602734BF464CD94643E9AA4883B3C8C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:08.142{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30EDDFD33B9DA83FC3C1DC88CE97E43,SHA256=BD5433CF85008D74D13460DF8F081A0224E8D4564D38C47DC68CB413F1B44579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:09.220{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9879935BB7137BD82D69791E4CD80D4C,SHA256=A9F5F4E1982ABE0184915C5C99F9D8CB6227A29C8B17DF31B738A670BD9037FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060216Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:09.028{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DC1A7D134E2B89D57FC62C64CC558E,SHA256=E523A443D5275C22D94DA268F32E19692AD4D24497195E06AE98FE3FC5300066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:10.283{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866CEF01476835DB9E72B8E1B1F77E39,SHA256=88262A8A1598CF976C573C98DE0A44212AB0CB942484D79D98EE269A542FD97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060217Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:10.060{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553418B6D09E96DAD0D56C5A56AF72D9,SHA256=33276CA22EE3BBA3844EAB3B4580677B80E3C12A7EAE82AC9EF8DCA4292A1411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C33-6092-E604-00000000BC01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6C33-6092-E604-00000000BC01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.689{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C33-6092-E604-00000000BC01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.690{04D9AEC0-6C33-6092-E604-00000000BC01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:11.377{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4358C739B1F8DBC639A6D9D6760926,SHA256=9670575CD66DC3F936C193E9613AFB498B6E92B9C481F0B8D52713A35678D71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060218Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:11.107{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045DB8A9AD05247821439786E1EEF225,SHA256=86B44B1726B55A8D717E8C4901C4D943CCB77009186CA10691D4AFCC07C96BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031093Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.830{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71EF2D1ABFCEC6185B33705D007B6342,SHA256=D9862022DB83C9DB847D1F6B7821A33059978B81B67FB1F4293D073818307E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031092Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.830{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E877653CBD82E2012B2758A47710EABD,SHA256=2F1FEC8496D6E76287E180CB3018D719F89A882813B7EDE47997055F1FB33627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031091Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.830{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD24A117A72FA00FA682143A47086599,SHA256=7DBE1262DB537564204CA4F6583C6999ACFF4F2AE3F9BE02800160688D05ADDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060220Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:10.182{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060219Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:12.185{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A736F7A1980F6D1C5466517A7B618C5A,SHA256=4A565511F9DC625740E0F947D8A83E392F140D0A58D9F3D744183118F4F24DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031090Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C34-6092-E704-00000000BC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031089Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031088Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031087Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031086Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031085Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031084Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6C34-6092-E704-00000000BC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.361{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C34-6092-E704-00000000BC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:12.362{04D9AEC0-6C34-6092-E704-00000000BC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031122Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C35-6092-E904-00000000BC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031121Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031120Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031119Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031118Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031117Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031116Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031115Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031114Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031113Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031112Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6C35-6092-E904-00000000BC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031111Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.970{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C35-6092-E904-00000000BC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031110Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.972{04D9AEC0-6C35-6092-E904-00000000BC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031109Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.830{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09F032D00F639EDA85215CA767D56C2,SHA256=E16D1992575037BB82DBAFA8E55CAD62161350BA3A9673CB43053460F9538827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060221Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:13.200{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA2298AC5E9662CCF4E1D2F74873B6B,SHA256=703BB78D54C6A204F217AF55006AA3E0E4FC320CDA426398958B7090C0FAB0B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031108Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.173{04D9AEC0-6C35-6092-E804-00000000BC01}28043768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000031107Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:10.866{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000031106Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C35-6092-E804-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031105Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031104Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031103Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031102Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031101Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031100Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031099Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031098Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031097Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031096Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6C35-6092-E804-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031095Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.033{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C35-6092-E804-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031094Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:13.034{04D9AEC0-6C35-6092-E804-00000000BC01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031126Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:14.923{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031125Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:14.845{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04420650C4E7E3773BC90CD3D98E5747,SHA256=DF38C2F20C779C039D5883AF82D68FCB074B23DDC6F40BEFEE1D8A062737DF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060222Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:14.216{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7483ED4AF94F95736418BA0F0C4C31,SHA256=0A67330E9269F62A33E52A52915FA6F27D89992E7A6976314075A10EA5DB3974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031124Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:14.111{04D9AEC0-6C35-6092-E904-00000000BC01}6121828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031123Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:14.064{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71EF2D1ABFCEC6185B33705D007B6342,SHA256=D9862022DB83C9DB847D1F6B7821A33059978B81B67FB1F4293D073818307E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031153Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C37-6092-EB04-00000000BC01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031152Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031151Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031150Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031149Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031148Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031147Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031146Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031145Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031144Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031143Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6C37-6092-EB04-00000000BC01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031142Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.892{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C37-6092-EB04-00000000BC01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031141Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.893{04D9AEC0-6C37-6092-EB04-00000000BC01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031140Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.861{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280462D23EEC9485AF69D13ACFC906F6,SHA256=5EAA05776C26A071667B1E4788EE6D3B56A0176F7CC52129BA8010F625BAE7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060223Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:15.232{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B908C473D464EF0CA771D35C6EC1EBF,SHA256=F717BD787126C6F235125737E75A02553C8A202840812316C5CF5247D2887C48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031139Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C37-6092-EA04-00000000BC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031138Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031137Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031136Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031135Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031134Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031133Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031132Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031131Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031130Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031129Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6C37-6092-EA04-00000000BC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031128Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.220{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C37-6092-EA04-00000000BC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031127Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:15.221{04D9AEC0-6C37-6092-EA04-00000000BC01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060224Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:16.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC6753C88A833218344F946E8267A55,SHA256=4E84DC9FE4FDABECBDC3456C01C40727B082966C072AF31E345CE5DD1E05D5A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031170Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.705{04D9AEC0-6C38-6092-EC04-00000000BC01}21763836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031169Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C38-6092-EC04-00000000BC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031168Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031167Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031166Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031165Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031164Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031163Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031162Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031161Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031160Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031159Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6C38-6092-EC04-00000000BC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031158Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.564{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C38-6092-EC04-00000000BC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031157Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.565{04D9AEC0-6C38-6092-EC04-00000000BC01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031156Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.236{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F3ADAB9E088D5E9F4A052992B642DAC,SHA256=2F7193BA548325E1FE51B6E75023485DA2B13E60E6C951AC84D54035C96603D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031155Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:14.694{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000031154Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.048{04D9AEC0-6C37-6092-EB04-00000000BC01}15282068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031172Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:17.642{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F0E2132BE95E3CF32249FEF5B1F4C8,SHA256=7837C3C24EFD81D5CE43B0BF3764D5E8BD2C2BD6227E5964EF44A194E37B1CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031171Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:17.392{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3332368DD8BFB23D20D731BDBEF75D,SHA256=C68D98538D04B6F7CC9DF603DBCC8F0CFDCBAF37C1573267143D4C8AB4857880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060225Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:17.263{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8AB9E5DE149035F6A045812C2099C5,SHA256=2ADD5067891941C6CA25583B30A87F281FCD8BEE4A2CB61D812486CBDFB2B8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031173Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:18.486{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACD2EB90DC06FDA6D666BC6653E21DD,SHA256=6F87FE76BC887D4145C5EFE18AFB24BE21F77AC7BA632714AA5700315B5055E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060227Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:16.213{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060226Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:18.294{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BB73FFBA046FAA59ECA73EB6EFFBF8,SHA256=EC75042EED967D4CB823456BC9167C30EE23E31F54801C7257E67750B21F9D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031175Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:19.517{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E511B16D8FD4EB38CB66E1542CB34866,SHA256=70340819F0940F3FC8A68C8C2A3128A12A14A72EE111F8E0712D991A52D20083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060228Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:19.310{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1359FF63BA09887F8C5986B83778AC,SHA256=46A5B4D18FFA9867DE80FEA8467FB3C648F3DD22D3F2A9C6F282251368F020DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031174Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:16.897{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031176Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:20.564{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBA9D8F5AA930FBBCAE42169AC9D97E,SHA256=4ED59585D6B291DB5B806F2A330E8D9336479DE480C3F18FA67F527A13B848C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060229Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:20.341{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B40F50B3BD169EEEA4791AA82CC64AD,SHA256=11DD9C1799D0993EBDC3099E4C457B3E783B470EF67C49467E994877C53B06AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031177Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:21.673{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B90B6382E239293328CB030E2AAE625,SHA256=A7EA319D3F5A2F60C1FE82FC375C5615EECD7153DD331BD9DA73C74D83261C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060230Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:21.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC2BAE326E75EC0655218AFBD169661,SHA256=01EDD5BAED24127F866D2C59A39A2714F431EA5E9DD7127A2F75B5FE75E41142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031178Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:22.689{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B284DA64F80137A9FBE7DCEA8629C1,SHA256=9E888228156DFF0085CB32DB8757D69F6B2866425E08561E5D409B7EC26D30D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060231Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:22.419{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2043C36590513F333046A27D2F68BC48,SHA256=C0E354DFA765846A6A5F56C7D21B7A52B7D80D6DB0CC93863FFDAC09A3BB0A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031179Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:23.783{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2000CF87F3C1A486610C7D4616CA2EEC,SHA256=67874D198F39C89E34F81DA773DE4F0229BFA26E96786094A40EA44DC5B739D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060234Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:23.731{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-4D0E-6092-EC04-00000000BA01}2560C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000060233Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:22.213{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060232Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:23.435{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31CB96647AD06425714015A7F290663,SHA256=D1726F910864D9F5D3E64C5614BD0D7AD99996C0AB5E0E3F53CCFB760CF5BF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031181Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:24.798{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE147A147FE4F8DC48DE3F5A11E7D1C4,SHA256=2B0A6458CE3FB54640A320D43FE8739E9A6D2E55B880E03E46F8BA0C977CF33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060235Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:24.466{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0DA9B287205CBE340861A1D44DFF12,SHA256=4AC3B92DEA322556A591536F52D05D4919BFEE1AF1C5246294C6995736536A88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031180Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:22.943{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031182Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:25.814{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740CC8BFD0189430CA82343B305EABA3,SHA256=DA6664710BF65AF7ECFD244B182E4BC25B697422536F3024AFEC713483DEAF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060238Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:25.560{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC87CB709F182A5D07155946EAB8A5F,SHA256=091D500CA527338C9124BD7E73C3BF839C037606E761A5D5FA0BA3102D1FCD81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060237Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:25.388{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-697D-6092-9B08-00000000BA01}6148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060236Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:25.169{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031184Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:26.892{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E610F5A689B193A534169CB790EEA6,SHA256=160EB8EEB0CEBC8862805CB0DFE3665BEF55A57099045AB35D54525E5E3895DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060242Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:26.856{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C109B37AD173C90C67D984A014B90824,SHA256=171D0CE731E31F6D877495AA817B4AAE6347F8206884325508D0D8E75B020915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060241Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:26.856{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F771384B3934B6C5BDD1721830AB264,SHA256=B51682688E6EC1D09215F1E7F8BFB3828F36614948F810B05E5F0EC8C92A7F5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060240Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:25.120{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000060239Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:26.606{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DF3C57303C7C4DFA7668675C81A52E,SHA256=31A85006CEB80B3264F1FEF042A71733F0BD198D15EA993F949A4C6E04CE5A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031183Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:26.064{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3C2C5EC1E3CCE2ECB86AF00967299459,SHA256=97E2EE1F7FCB79451210FA20287D49900C2F2C59C2FD483BC52E3ADFA9D95347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031185Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:27.939{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55739CD55B1D238E452B088882EDB681,SHA256=00863FD9E3821FD20A3FA0DF4662888049E4735BAEC7843A20597047B614FA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060274Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.903{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2C00-00000000BA01}2752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000060273Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:25.807{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54124-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000060272Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:25.807{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54124-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 10341000x800000000000000060271Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060270Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060269Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060268Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060267Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060266Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060265Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060264Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060263Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060262Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060261Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060260Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060259Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060258Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060257Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060256Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060255Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060254Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060253Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060252Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060251Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060250Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060249Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060248Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060247Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060246Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060245Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060244Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060243Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.481{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060276Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:28.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B2870E4C83FDBA21CF95E9AFE7FC72,SHA256=6EAB3E7D4FA6607581C55E7D3B7AAE3FF609DE41689C6B4E1B7E4F9398103740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060275Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:28.013{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64728190C57BFAF3F58115A7D7711FDA,SHA256=CED870D095843357B87408519C143A491AAEA80592395559695148E446830C2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060278Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:27.995{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060277Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:29.778{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3D6F4EA4133AE2B4096A88BD4D8B72,SHA256=7860DE10EBD7426E84831796D5815352715957BDB533A5ED6F6BFDB9E58DAA3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031187Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:27.975{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031186Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:29.001{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29603353170DE891423BA8FDF53E8F22,SHA256=E7759F27333F7E05E2282BBE734710CA2E5E1EA4A313AA319E59D4495104A037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060279Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:30.810{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB849AD4E3B58AF0E4C5D66AA05AEC2,SHA256=90D22191D651E55F57C3B1C2871B38E23BA0987188B6B3F99DA17AC8144803B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031188Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:30.111{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C26A09EC43B24E686CF9D5089935BD,SHA256=60A519E04F82ACC5D71598BDCB11D40DA810A17C8B34DD565C24C77265FD4095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060280Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:31.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E7F485292EFF7FE2DD9C5B00E3DB46,SHA256=B3AD23EB43F8B60DDD2112EA5CC61FF7C5EA7D7974B9E4B579404419CDEEA62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031189Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:31.158{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02797C47EE6F3957C0BF961EA60BA2DD,SHA256=BE40A755BDC4A1D0B2757DEEC2F781B59A242F9B4E6CDC1FFF3AA61EC99C9852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060281Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:32.919{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692E3377693BB8C4B85DD5A32A615699,SHA256=05D8AA7C61A98E76E6C4ECF618285D5DCE3029CD61BBCB616F8EE6D2479F1343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031190Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:32.173{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F30CFCB69AB5489EECD817B940B12D0,SHA256=A8EF7F6BC9D4087089D1BA3326449ECEED94707F8595D9F2830D27AB92CF670C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060282Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:33.919{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2491D823366746C5408DBF157470FC92,SHA256=2ED5CEE0EA67E03BC1E425EC746111EE7646E5842BE8DEFE42311B3F1A645C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031191Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:33.189{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC17A1DF86BBF44CA56470205367BE64,SHA256=308019886488D5555DB372F1AB57485E48A9A62A4128C0A54962C2594F143C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031192Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:34.220{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EA01E0A4DC9119A46B976D9D228890,SHA256=C3DCE53B0BF52F41BC3EFDA58C6A20BD94A27C0AAADC6208B4338E1A82B186E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060283Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:32.594{B13AE1A5-471A-6092-0F00-00000000BA01}1140C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse51.161.104.168ip168.ip-51-161-104.net55133-false10.0.1.14win-dc-763.attackrange.local3389ms-wbt-server 23542300x800000000000000031193Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:35.282{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312A4C4D554F39B3854F70ED7EA7C73F,SHA256=EDD1EA91878195B08C25366C65F97C8C0A944D53C974549BCD60E2903EA3BB2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060285Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:33.010{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060284Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:34.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EBE1C8712956E38602060DDE49B4A9,SHA256=443EBFDE0453DAA246ACFFEA4281AE4574EE3E6EC6E0B8BB747541A349821408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031195Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:36.345{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624C352FE7893B4A028927B70155C069,SHA256=6E204241041CEF0634F5D09A1BF822959357E984D54D37547E9536D995FF5477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060308Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060307Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060306Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060305Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060304Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060303Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060302Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.763{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060301Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.747{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060300Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.747{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060299Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.747{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060298Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.747{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060297Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.747{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060296Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.747{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060295Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.731{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060294Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.731{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060293Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.700{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060292Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.700{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060291Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.700{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060290Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.700{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060289Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.700{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060288Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.700{B13AE1A5-4D0F-6092-F804-00000000BA01}44086212C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060287Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.710{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"regedit.exe" "C:\Temp\d.reg"C:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000060286Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:36.044{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71FAE5058E42D8B910B294F81B56FF3,SHA256=14A5DFDD107BA1EF80E06C1CBC29BB9F9927627AB2FDF95428B487C567E8C7DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031194Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:33.818{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031196Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:37.423{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EAC7B0A5E1F7D53B71EAD027E0AD2F,SHA256=E2D4DEEFD8EB0E94ECF4F3BDEFE6D951428F034242104D39573B5BED154C8F8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060324Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060323Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060322Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060321Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060320Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060319Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060318Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.810{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060317Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.794{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060316Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.794{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060315Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.794{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060314Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.794{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060313Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.794{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000060312Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:58:37.778{B13AE1A5-6C4C-6092-5609-00000000BA01}6916C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\DebuggerHotKey Disabled 23542300x800000000000000060311Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FD3227A87972D1CBA308B6E04E443B,SHA256=4E5247CCB37252465343BACF25080A7ECA1DF84A4EF38233AB09CC818D5F8EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060310Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C109B37AD173C90C67D984A014B90824,SHA256=171D0CE731E31F6D877495AA817B4AAE6347F8206884325508D0D8E75B020915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060309Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:37.060{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6DDD33C2A081CDCC2E0130C83BCAF3,SHA256=8E60B0785C5D5A3E0CB87E41A5DADCA9E785D0B642EA603719E30CF1DDB1F30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031197Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:38.454{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3998F4B2F980054599DEE3B0C57D55,SHA256=DE460294DBA59247A59365F5E1FB7BE784FC5183E563D25EB35F75D8213C85B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060325Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:38.091{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E4880978F779A7FEB99937B104463D,SHA256=085EE372B5A702F3DD3DC7A8BEDAFED9F77EF6E73501FC8043691A8D09218AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031198Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:39.517{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE8AC533D074803434A04FEF14A102A,SHA256=CCD3DC9FC3C1D03DA4EC3BBC8D90B89F971D4C6BE6C80AE051A386CBDFB5BBF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060393Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.981{B13AE1A5-4718-6092-0B00-00000000BA01}860612C:\Windows\system32\lsass.exe{B13AE1A5-4716-6092-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000060392Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.981{B13AE1A5-6C4F-6092-5909-00000000BA01}69723876C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5D09-00000000BA01}736C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060391Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060390Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060389Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060388Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060387Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5D09-00000000BA01}736C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060386Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-6C4F-6092-5C09-00000000BA01}37843652C:\Windows\system32\net.exe{B13AE1A5-6C4F-6092-5D09-00000000BA01}736C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060385Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.978{B13AE1A5-6C4F-6092-5D09-00000000BA01}736C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /add hiddenadmin hadminC:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{B13AE1A5-6C4F-6092-5C09-00000000BA01}3784C:\Windows\System32\net.exenet user /add hiddenadmin hadmin 10341000x800000000000000060384Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-6C4F-6092-5909-00000000BA01}69723876C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5C09-00000000BA01}3784C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060383Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060382Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060381Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060380Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060379Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-4D0B-6092-E204-00000000BA01}12681824C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5C09-00000000BA01}3784C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060378Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.966{B13AE1A5-6C4F-6092-5809-00000000BA01}22643396C:\Windows\system32\cmd.exe{B13AE1A5-6C4F-6092-5C09-00000000BA01}3784C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060377Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.972{B13AE1A5-6C4F-6092-5C09-00000000BA01}3784C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /add hiddenadmin hadminC:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x800000000000000060376Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-6C4F-6092-5909-00000000BA01}69723876C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5B09-00000000BA01}3756C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060375Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060374Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060373Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060372Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060371Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5B09-00000000BA01}3756C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060370Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-6C4F-6092-5A09-00000000BA01}78444904C:\Windows\system32\net.exe{B13AE1A5-6C4F-6092-5B09-00000000BA01}3756C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060369Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.957{B13AE1A5-6C4F-6092-5B09-00000000BA01}3756C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 localgroup administrators /add hiddenadminC:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{B13AE1A5-6C4F-6092-5A09-00000000BA01}7844C:\Windows\System32\net.exenet localgroup administrators /add hiddenadmin 10341000x800000000000000060368Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-6C4F-6092-5909-00000000BA01}69723876C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5A09-00000000BA01}7844C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060367Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060366Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060365Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060364Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060363Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5A09-00000000BA01}7844C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060362Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.934{B13AE1A5-6C4F-6092-5809-00000000BA01}22643396C:\Windows\system32\cmd.exe{B13AE1A5-6C4F-6092-5A09-00000000BA01}7844C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060361Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.950{B13AE1A5-6C4F-6092-5A09-00000000BA01}7844C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet localgroup administrators /add hiddenadminC:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x800000000000000060360Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.934{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060359Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.934{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060358Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.934{B13AE1A5-4D0F-6092-F804-00000000BA01}44085236C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060357Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060356Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0E-6092-F104-00000000BA01}46681208C:\Windows\system32\taskhostw.exe{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060355Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060354Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060353Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060352Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44084952C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060351Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060350Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060349Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060348Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.919{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060347Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.903{B13AE1A5-471A-6092-1600-00000000BA01}15721860C:\Windows\system32\svchost.exe{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060346Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.903{B13AE1A5-471A-6092-1600-00000000BA01}15721608C:\Windows\system32\svchost.exe{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060345Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.903{B13AE1A5-6C4F-6092-5909-00000000BA01}69723876C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060344Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.903{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5909-00000000BA01}6972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060343Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-471A-6092-1200-00000000BA01}12163716C:\Windows\System32\svchost.exe{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060342Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-471A-6092-1200-00000000BA01}12163716C:\Windows\System32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060341Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060340Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060339Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060338Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060337Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-4D0B-6092-E204-00000000BA01}12681368C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060336Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.888{B13AE1A5-4D0F-6092-F804-00000000BA01}44084544C:\Windows\Explorer.EXE{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060335Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.897{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000060334Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5709-00000000BA01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060333Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060332Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060331Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060330Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060329Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5709-00000000BA01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060328Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.341{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C4F-6092-5709-00000000BA01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060327Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.342{B13AE1A5-6C4F-6092-5709-00000000BA01}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060326Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.153{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58DCDB1CE76AC2EB1E0D67EAB8B4A66,SHA256=D1CE278F6205D4B630671A36B677F6B6D7906F074E16E6A13F0B44C8383A4EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031199Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:40.532{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B590C48946481C2318DC3779E170B8F,SHA256=E0AA44F838B06F746433FFFC33AF69BB56BA400B7792CB32C0E8D076DB2A6CB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060422Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C50-6092-6009-00000000BA01}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060421Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060420Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060419Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060418Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060417Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C50-6092-6009-00000000BA01}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060416Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.669{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C50-6092-6009-00000000BA01}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060415Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.670{B13AE1A5-6C50-6092-6009-00000000BA01}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060414Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FD3227A87972D1CBA308B6E04E443B,SHA256=4E5247CCB37252465343BACF25080A7ECA1DF84A4EF38233AB09CC818D5F8EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060413Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.356{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AF9D132631834FC289A887680D186A,SHA256=97488A124BC6071BC9555895B7656F36166423C96DB7AA58A03827EB78C9B10C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060412Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:38.072{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060411Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.153{B13AE1A5-6C50-6092-5F09-00000000BA01}36283968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060410Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060409Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060408Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060407Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060406Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C50-6092-5F09-00000000BA01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060405Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753B1F0ED451D4B60C51944F8EB075CC,SHA256=A58D664D4E4539C06326B6881E7056D8447855F03F12FE1B9C055DB23CC24FC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060404Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-6C4F-6092-5909-00000000BA01}69723876C:\Windows\system32\conhost.exe{B13AE1A5-6C4F-6092-5E09-00000000BA01}1384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060403Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6C50-6092-5F09-00000000BA01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060402Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C50-6092-5F09-00000000BA01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060401Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:40.000{B13AE1A5-6C50-6092-5F09-00000000BA01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000060400Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060399Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060398Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060397Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060396Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-4D0B-6092-E204-00000000BA01}12684348C:\Windows\system32\csrss.exe{B13AE1A5-6C4F-6092-5E09-00000000BA01}1384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060395Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-6C4F-6092-5809-00000000BA01}22643396C:\Windows\system32\cmd.exe{B13AE1A5-6C4F-6092-5E09-00000000BA01}1384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060394Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.997{B13AE1A5-6C4F-6092-5E09-00000000BA01}1384C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v hiddenadmin /t REG_DWORD /d 0C:\Temp\ATTACKRANGE\Administrator{B13AE1A5-4D0D-6092-9353-2E0000000000}0x2e53932HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{B13AE1A5-6C4F-6092-5809-00000000BA01}2264C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x800000000000000031201Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:41.564{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2737E01F48718170C75B06597F50AE0,SHA256=69A0B69C32DB21347B3215B92973AC95E6EFD7D952D38BFCE37E247E4051490B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060435Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.903{B13AE1A5-6C51-6092-6109-00000000BA01}1565524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060434Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C51-6092-6109-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060433Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060432Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060431Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060430Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060429Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C51-6092-6109-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060428Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C51-6092-6109-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060427Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.763{B13AE1A5-6C51-6092-6109-00000000BA01}156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060426Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D903B86E677EB2F1CC9C591E917B8E0,SHA256=E16886C8044AC09C925ECC3CBA57C8FF50949558948387BA0A0EBA296CAD6468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060425Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:41.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5FF9ACEA37BF2E1A756200CC679A6E,SHA256=61A5DF91C75ABB3F7A09720D3DC96F1C17A5453C00FA3DEAE7F542F3842591E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031200Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:38.850{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51624-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000060424Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.961{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54128-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000060423Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:39.961{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54128-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 23542300x800000000000000031202Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:42.595{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9729DE9A099F95CF8398BA96038BCE,SHA256=00524EB87A6BAB4611B575B19C167E9D95B3514F8347130E4872308699807643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060446Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.778{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75233C630D089880FD334C325170A16B,SHA256=518DDC38E0286806448D87FD639CC55463B51A0151D5B29AE83A598273A3891D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060445Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.700{B13AE1A5-6C52-6092-6209-00000000BA01}31925360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060444Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C52-6092-6209-00000000BA01}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060443Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060442Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060441Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060440Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060439Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C52-6092-6209-00000000BA01}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060438Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C52-6092-6209-00000000BA01}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060437Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.560{B13AE1A5-6C52-6092-6209-00000000BA01}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060436Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:42.403{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF48975EABD56B695D6CC1E95420684,SHA256=F153B96AC92E28D72A10A522EE71462A828ECD53D87B890CFDAC431C770D9852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031203Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:43.704{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DB439EEC3BA858376448455A674161,SHA256=FECB0B1618ED14F76EB03D06DB1BA83F475CD8555D349BD7BF46026ACF019043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060457Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.450{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349FEB5FFF14E37A5E136FB3B2FCF491,SHA256=38FE781ED0D8D46492D033CA9FF660F55CB850792EFD467FD483D8D4191C81BB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000060456Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 09:58:43.388{B13AE1A5-6C4F-6092-5E09-00000000BA01}1384C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\hiddenadminDWORD (0x00000000) 10341000x800000000000000060455Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.388{B13AE1A5-6C53-6092-6309-00000000BA01}71204568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060454Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C53-6092-6309-00000000BA01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060453Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060452Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060451Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060450Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060449Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6C53-6092-6309-00000000BA01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060448Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.231{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C53-6092-6309-00000000BA01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060447Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.232{B13AE1A5-6C53-6092-6309-00000000BA01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031204Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:44.751{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4845A760F92447C5A5A246D02A8BDB,SHA256=1BFF612E92A813F2B7559FD9F2BE4958C3E651FC5954809A33A4085B43C83720,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060468Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C54-6092-6409-00000000BA01}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060467Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060466Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060465Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060464Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060463Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C54-6092-6409-00000000BA01}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060462Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.669{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C54-6092-6409-00000000BA01}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060461Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.670{B13AE1A5-6C54-6092-6409-00000000BA01}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060460Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.497{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2164E7E783D207EE5916E01EF56357,SHA256=1CBD107795D0729D637A0EE1BB4EE5B119C111390C24FDFC6C89B48BC7A071A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060459Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:43.088{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060458Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:44.278{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D9C993B4F727A87DAFD271D7E7A3DC,SHA256=E33F21BA7872BDDA4EA8F40C878EA603DE23061CDE67B790CA02CE7D1569084C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031206Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:45.782{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72DBCBD142D476001A07B8F5CBD35C0,SHA256=74C07120C6EC9C24B2ECBB7B6715EAA828C728480EC46A13775E2FC18BD221BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060470Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:45.701{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793EB75EA33D57B15A70898A6FEB54C5,SHA256=54E402049FEDA6BCE4145FA0D0188CB6508ACC95DF2DBCCEF6C66A975B4B9230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060469Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:45.544{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB3BE7F5F8995F6FC9561E1BFEB5FC8,SHA256=7BB5B4ABAE02E4AF4F65224F73153433857274E17FB6CAA2E1FEE698540FF068,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031205Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:43.865{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031207Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:46.829{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCEE17089A83855E3C483F03287B576,SHA256=8AD42C146C339964B66AD794E6D6764CF3789DE9B4E1E38869A73312558DBB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060471Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:46.638{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A90AC6EE6C0030C67FBAE86AF71642B,SHA256=DD89DEF876DA6415AE7A66F8C9FA3A5CBC93DEC8FCEE148ACC712549DB2AF588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031208Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:47.907{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33BFC710CE083121E7A2E1CAA724049,SHA256=5029213440C191682959BEBCB0A50C410DB09340D2A5416786629A675B4E5BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060472Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:47.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7EFA27B6B3F450E91E0E465817F912,SHA256=ED46D39E8B737760A574B28A1A782F5FA31114102B0DEDF64D0FA05A7E32DC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060473Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:48.685{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F23F975AEC4A670C2318C4F1C96AA4,SHA256=BD05A8A50BC73DBD660E46DF1A9739B05BEDE00B163D5D08A55CF0DC087A182C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060474Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:49.700{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4522E36C69C20AF5A506264E7F2B39AE,SHA256=1A7EAA8D979D2E959910C5CF8625C10CDED92BE2876F3A5683A70DBA2353A173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031209Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:49.095{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C447465A1A81E9E1F775013834A98F,SHA256=D80BA3CE4DBC9237AEC28495C5529337DCF1F1E1CC3292086765F5622D5A735F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060476Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:49.119{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060475Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:50.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF02610D0003ADDDCA7AE3932A353641,SHA256=5F81A93D7D660FDDB275B6A7D021D41944161252877D8DD993ABDA1349FFDCDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031211Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:48.896{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031210Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:50.110{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D70DA769276F0CB83F21C187200674,SHA256=5424642F0B4ABA52178B9A539C4055B27A8B4DDE9D105B23B44EC721B7C447A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060479Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:51.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CA96B85B6C0CCD6C55083EAEBBC339B,SHA256=A47509B243BA0DC7BE1AFC34B986FBC11992ED9006071F30314E123D3BAE0F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060478Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:51.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268042AFBB2E429EAEB433EA4CB503BB,SHA256=1C26FA27DD7A8495E436C0A776E23267DA9D3AC74506E16DB9103BE574CB063F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060477Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:51.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7908D8BB00582624A116CB5D33CB3D4E,SHA256=1E06AA996A4E619AE57E19213401CFD83645F9F7155A396CC7E018A2592E6324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031212Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:51.126{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98AD71DFF593E29B88DA4A02DD1B6B1,SHA256=AFCCA83541A2E88D5BBC93CC607314B26FBD8B98A0D9166AF6D0065692C9711C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060480Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:52.747{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684832AFFD1B9451E8B7FDB5B3D0231A,SHA256=BFBBA0F62BD01803F7811AA813BC71CEB96F831494037E11C9BE10976A73F413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031213Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:52.142{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237CFF68400792B61D602FBE7D832DC1,SHA256=D649D09A790BDB2DE6C93AEC46EDA75DE208101A379DA078BF2665C7965C4E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060481Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:53.763{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11C5E3F8BE53DFE9770D7B529ACD163,SHA256=C3DBA1EBF22946E2EB9F53A0EE6E431B6A9F67474E0F18A308DD395A88514D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031214Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:53.157{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71F1401ED382DB2E452D79BC3C78B08,SHA256=D23C6A4866B27D98AD1DF632339BED23AE7FB37ACA01A0C16689E7FB61CEA7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060482Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:54.778{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AE91F75720DC767185086BECA8C68C,SHA256=A24B667C2FB1BD84B7EA80B38D5615F90F298DC124791AB11A1D8E0F3AD2BA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031215Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:54.313{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02869D2217873E224011FFDF40CFA422,SHA256=BCDA05D323441121A55A1687B049D1EEF4ABA01D055A0840595B63C37832EF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060483Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:55.794{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A56FB103940CCB9BBCFF3AD15A11C9,SHA256=E85E79C20B6F36A6B3CAF39F3BEFC9780FBBEED1F22EDA5D83A9EF3240879244,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000031217Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:58:55.532{04D9AEC0-4953-6092-1100-00000000BC01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74195-0x42ad9fb7) 23542300x800000000000000031216Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:55.360{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12FDBC68DC431D00E9D85D8E78E5A93,SHA256=3F587314A16D9AC2CF52810EE25CDBAA9D18897C29A321D4ED9136803818D752,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060487Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:55.467{B13AE1A5-471A-6092-1100-00000000BA01}1184C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-763.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 354300x800000000000000060486Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:55.119{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060485Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:56.809{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54D3263D760C2DBCF818B020F791552,SHA256=049FF6BFFFBB3DF6FD42E9C2F1527A6D4D7D591E703EB56379125954616DFC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031219Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:56.376{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAFE0A015A4325CC6416D96A45862C6,SHA256=2A3072955B6A24E79EE1DAAF603B42E6944A32B66EAA6687089098EFD1B29123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060484Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:56.684{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=17CD092429CA602CD984935D7044E3F2,SHA256=B03412BE0A1825F61A243C2B78F67803D1C2CF5DE847E5DF0AF5E0CC476282BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031218Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:53.974{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060488Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:57.810{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBDC20D8953E88B6AB2E9AA62F21FC3,SHA256=B02A7FF95C8D67F722E43EC7679A04F1659BF0272AB0F8B4A90BD7842A0A973E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031222Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:57.407{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDABC1E6A5A36241CCAC5A0E0A0CCD6F,SHA256=89CC793E78EE6C624869771F1539111CBBF8B608C201E715163183CAE49D5351,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031221Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:55.301{04D9AEC0-4953-6092-1100-00000000BC01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-273.attackrange.local123ntpfalse51.105.208.173-123ntp 354300x800000000000000031220Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:55.301{04D9AEC0-4953-6092-1100-00000000BC01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-273.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x800000000000000060489Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:58.825{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E765B68CC29BD07B13C6EB1A0E547599,SHA256=38BD72F612D52A045925BE098B5000F2AD0958F16842E50D6226E1741743E3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031223Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:58.423{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740162C926C3629F4C83C4393EE5A766,SHA256=D3BCA21ED80775031A7BFECF8483B92117515327E29F5CC49D399069CEE9FEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060490Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:58:59.856{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C3DFA14FC485937450F980735D8A3,SHA256=FB29DD0A9085308715A02D87BF07AB60BE67697DD8A441A2AC763A809EB941A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031224Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:59.438{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E4BEF5070AD35982F2956CB500AD7,SHA256=4A1CCD01F6894359CCAF950AE55D7C3918B153F2835609A72241AB94FE70F997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031225Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:00.501{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D934EAFF8A3DCFE3A8B3455B37CFCF6B,SHA256=023D371D7A25D4C6A87909570F754FD0A5EBCC304C77BB0CD770575F620EE948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060491Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:00.966{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F264B723E1B4B203E4BC9CDFF137ACD3,SHA256=3D6700118622DD0D0AAD5DA526337FEFD1AD123C17727558B8D6033F852205A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060492Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:01.981{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29810C58953891C92481C325E94DBF2D,SHA256=16C1D4CE2AAF748600D70582F658050BF52877C7DFFFA700DD32A9755568AD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031227Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:01.563{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847E11B40F4AADB2BF1B20EB0563EFF3,SHA256=2B8B38547DB8DE1E8C96CCB3B3B701E8CAAC193720CCC795EAF7A20E52BF6E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031226Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:58:59.005{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060493Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:02.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218020C8FC80C6F5AA0169CB47A8FD8A,SHA256=E52ACC5E0859C045814E960B319C78317DD37399D60C1C70082E8A94A816FACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031228Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:02.610{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259006F44D57E7A016D019181484E072,SHA256=E29E3B78E344D71EBCC5E99B4E7FFE4B812203F21550C1F4A50F2305C861B49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031229Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:03.626{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75896B99DF349682C2CB9DD3B30352B2,SHA256=0071A6420AF1CCA6655870CD5E38378A5539DB9A9492C240C835E1DC299D3B52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060494Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:01.135{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031230Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:04.641{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7803EA4AC7BB30186E98139AFCD7C7E,SHA256=0A8888EBD46BA02009767FC2AFAF1AA9F606C7C20406054B6F5FF7D3CF7C1360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060495Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:04.013{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0561B3950908C899B3DA2C6A907BEF8,SHA256=BC9F4B917AF1DB2BC10025B9241558D99F030BD8673AF8006ADAC3E6E489750A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031232Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:05.657{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5545291AA5D59DB0E68B87B08D50E9AF,SHA256=111C1501D1B05D426B7D50C133CF4EB45D914E82E827B57A41D0455B5F36C052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031231Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:04.021{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060496Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:05.013{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA9A6C20712E4044A3FDC936B66D673,SHA256=932A4EBD7BF12B85A43B116EB50535D35FDAF080F4115026F70D9D96477CBD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031233Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:06.672{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C8605B288979F739961BB19813AA24,SHA256=E1BD19482B1D21AD0FD15260C52B82E6D1BC6EE31B28D69B9817B50A8315E1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060497Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:06.028{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DA3CB25E1BEA3C1968F7A47F9A2F82,SHA256=0352CC480BF67D1595D12036BD5B120D4894CA934049BD47D40F5B7A280B7281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031234Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:07.688{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F00B4BE91195DF77B09A48AC279CC4D,SHA256=D062D9AEC13CB881851CB2A8E57F7C54A80880F439418C90DEF7FA64B09D8F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060498Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:07.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDF2D74855852BA0FE7B17D51888872,SHA256=76F7595AC46842372D8F8014E46AF6097312D300B382929908B8734FF887AB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031235Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:08.688{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8864904465A8E74972036A5B786AFF,SHA256=2AB1D2A0539C6C5EAE95DA90502ACD389A694CED40D8889E6554E2536A2000F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060499Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:08.075{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FF445B5AC07A5EC0800044BD295BBD,SHA256=97445D843E01266227B9ED175A64CAFC7A019677ADF99BD91FECB1313092B727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031236Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:09.704{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC17D9629CA87FFA8A1AF52347B825F,SHA256=E2B87E5D7AF64A55066A6507DE64738A22B3319C1275FE29D4735641B4998CA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060501Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:07.166{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060500Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:09.091{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E642CA740032E0DFF632C1575520D9A,SHA256=77B568267619E47547D207596F5BB8C2795D8D083003BCFE24E3A424BACCF789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031237Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:10.719{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF361426412E6E7F35B3D330E9381160,SHA256=FB2F1A4AECC869AB56767392993CCE00696CAB197324B6490FB7F9615BBA0FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060502Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:10.122{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EAC3040ACFC41FAAF53220AE0A574A,SHA256=B7BDFDFEAC0D38DF045E19F1FB41CADEFDF524985B3A0F2DE9A98146D8EEE797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031252Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:09.786{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031251Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.735{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F48BA6FBCE4705AA2EB125038305A,SHA256=727930C502CFAE210B80BC5EF282DDD0BC068B78227D77F3C18F5CAFD22E34C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060503Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:11.138{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4D78E894EE67D6393B7ED73983C462,SHA256=F670637556211DFD4FD12C37F5A4E4F7B69786EF7A83DACDB699095E1935043D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031250Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C6F-6092-ED04-00000000BC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031249Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031248Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031247Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031246Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031245Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031244Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031243Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031242Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031241Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031240Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6C6F-6092-ED04-00000000BC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031239Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C6F-6092-ED04-00000000BC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031238Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:11.704{04D9AEC0-6C6F-6092-ED04-00000000BC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031282Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C70-6092-EF04-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031281Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031280Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031279Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031278Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031277Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031276Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031275Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031274Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031273Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031272Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6C70-6092-EF04-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031271Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.922{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C70-6092-EF04-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031270Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.923{04D9AEC0-6C70-6092-EF04-00000000BC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031269Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.844{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7888E23E756D02C2F5B0BAE8AFEB5659,SHA256=AE85146B7F8D36A20438355FA1B02FF7868B66CAD1A9D9DCE54E6FE2B6CD955E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060504Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:12.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC231A13C25BAA551AA278802D129C8,SHA256=96D0631B248816ACA85D162C20280AC429B992D174546476D092671BBFB533CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031268Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.735{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD3E701DB46E4994841A455545816C5,SHA256=F7DE1530FD5C89E18B96798366A59391ADBDEA0D832DF12DC46162A5804AB1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031267Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.735{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E15C3D4BC65F97B54B9A62591FFCF00F,SHA256=380A9F0003B4A96DC61F32D9A5AB2831ED61F55B6EAEB7C2C2DEDC36752A4E69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031266Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.516{04D9AEC0-6C70-6092-EE04-00000000BC01}38161040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031265Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C70-6092-EE04-00000000BC01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031264Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031263Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031262Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031261Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031260Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031259Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031258Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031257Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031256Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031255Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6C70-6092-EE04-00000000BC01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031254Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C70-6092-EE04-00000000BC01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031253Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:12.376{04D9AEC0-6C70-6092-EE04-00000000BC01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031297Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C71-6092-F004-00000000BC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031296Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031295Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031294Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031293Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031292Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031291Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031290Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031289Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031288Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031287Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6C71-6092-F004-00000000BC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031286Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.985{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C71-6092-F004-00000000BC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031285Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.986{04D9AEC0-6C71-6092-F004-00000000BC01}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031284Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.938{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD3E701DB46E4994841A455545816C5,SHA256=F7DE1530FD5C89E18B96798366A59391ADBDEA0D832DF12DC46162A5804AB1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031283Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:13.891{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FC81836D307A9BA06A199069C72C2E,SHA256=9FFD42339D91A0DB7790F45697CF7FCD2BF3AC577695E67BFB3FC35ECA1AE425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060505Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:13.200{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54652244C37ADE522268712171B34C6B,SHA256=EE04D7E606A0C656699E82E22DDD4E210828E77CCA676020DF1EF6164244EF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031300Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:14.954{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057FFAF7E1E05D9B8603BC0501DF8A14,SHA256=3232D65FD7EFED7BA6C9874C0B5A136CAA3210E7287764E53F862B4A146941C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031299Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:14.954{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031298Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:14.125{04D9AEC0-6C71-6092-F004-00000000BC01}27201416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000060507Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:13.197{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060506Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:14.263{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A0A840649C2F0A312E20E358835CF7,SHA256=D870A8D4909D83FBBC9F0C4096A9BA67B72D0C63C5DA3DF03657B0FCBFDE5350,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031328Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C73-6092-F204-00000000BC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031327Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031326Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031325Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031324Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031323Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031322Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031321Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031320Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031319Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031318Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6C73-6092-F204-00000000BC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031317Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.891{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C73-6092-F204-00000000BC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031316Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.892{04D9AEC0-6C73-6092-F204-00000000BC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031315Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.360{04D9AEC0-6C73-6092-F104-00000000BC01}38042852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031314Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C73-6092-F104-00000000BC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031313Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031312Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031311Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031310Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031309Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031308Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031307Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031306Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031305Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031304Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6C73-6092-F104-00000000BC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031303Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.219{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C73-6092-F104-00000000BC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031302Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.220{04D9AEC0-6C73-6092-F104-00000000BC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031301Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:15.016{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1F2C0E6FDBDD44D65B904F492D2A7E8,SHA256=9FF06E25AD5ECAD842FA3D2D56F6ACBECFB1F921E0140B62349D289EDCC74AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060508Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:15.263{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70126F15740951590CA0D2D5B271C05,SHA256=7024EDF5DD85CABB23EEB7E2ADD29C62376DB2AC21FB611D0084B61D27D26A04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031344Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.594{04D9AEC0-6C74-6092-F304-00000000BC01}35002124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031343Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6C74-6092-F304-00000000BC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031342Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031341Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031340Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031339Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031338Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031337Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031336Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031335Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031334Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031333Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6C74-6092-F304-00000000BC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031332Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6C74-6092-F304-00000000BC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031331Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.456{04D9AEC0-6C74-6092-F304-00000000BC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031330Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71C45591BF76D97035BC263A0594BAA,SHA256=FAF460E2BB6CD06D65B46472FEF0B077019E59B5B700E5D14F8BEE7C19E28A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031329Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:16.454{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DBC664BDD72656DD017C1B6FDCB2BB8,SHA256=D16078BF073731DD829323E0D43717FC528D89DD4641F77473D7881D393C3387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060509Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:16.309{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A18C2461188BF76E39C9641CEB74E9,SHA256=CF9673E0B3AD96DE3BD3F58783C07BEDAB6BC244EF41F18DE10E016764CE112F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031348Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:17.500{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47F5E554899D8EE31D2C348A766035C3,SHA256=5996D3302D807BBC6BE36F2C4D4514AF69536AFB1D652C618736E16DA4A89099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031347Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:17.469{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A50AE92D3D43747A152F990636E4DD7,SHA256=30969A26E59682A6DAC6BD9290049D0277859C7989B977A2987AA45145D2319F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060510Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:17.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9AE8C033B119DC0A44D2894460FA0C,SHA256=2FEEAED179566019F034FD62B78BE6773E9FCE5248175D9C37012F16ED719AF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031346Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:14.802{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031345Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:14.724{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000031349Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:18.500{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0AE9C1EEF50F07947AB2D95AD62CCA,SHA256=59249C4D3EE5FE6CAE88FFBEA1CFDADCF8A2D351C152F4D405AC2780C090F798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060511Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:18.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C593E1482C4DAC0AE8EA73E1592154DC,SHA256=D9FF0669096AD4247A953072E91FE9F6A60AFEFF698DBD6502990D8C659BD26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031350Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:19.672{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF35756DD7F68C9411556777A7D4569F,SHA256=8CD3D7869D55209A0C9372AB07E0183B62AB3B8A580A797C3FAF181C857586CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060513Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:19.497{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-697D-6092-9B08-00000000BA01}6148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060512Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:19.450{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A5E6C3D172CFC00B6C0A4EE75DD2DA,SHA256=4655BEAF011CE834B3793103C9E0DA643A705ED654DACF100636B71D732F6D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031351Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:20.688{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6201D1A7234D12529694F7CEA77948,SHA256=87BA8CA589E6A02CA88004AD32C203CA54455336D73AEBF00F12AFCF6C61CB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060515Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:19.181{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060514Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:20.497{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1673102CFCAAF4B908BAFDDB974A23AD,SHA256=EC8D1E153B33455196E03F029D84C83B1461D26DE714E94DEB2913BF55180F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031352Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:21.750{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB04D23DC3C5E8E8CDEC6858124A3446,SHA256=04D190BD92314DB1AF94F35A8633D9B6B26A8CADC015E81BC40183E180D646F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060516Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:21.528{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1676D9DEEA8380338273273951096E9A,SHA256=A1502C989922A494660DBC9A7EEB0EF88ECB157686281B7F62250B3CF91941D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031356Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:22.875{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CBC76A97ECCB217E8366D6D5559B9141,SHA256=5A7E00BB30F5DB36267ED51D1F9D7E46170B21BC96E2CC6BB6F4CD1DDC975F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031355Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:22.875{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4E6D969A8180E8823C83EB7240E25884,SHA256=0B07172CDB42D8C8AF482BF5F3FB887911818D5285DC95583282BB98BE915148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031354Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:22.782{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354EA4FD1E8C69136BB78945B947AA31,SHA256=723817F618070E715099261B86A33AD9F97281F27C452CA1E3A4F14F07E802E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060517Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:22.591{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED066474C418EDB9EC4E9190B1855C7,SHA256=C7D0649A411399F1F0F8E763F74CEAAD793D5F08B568567AE8175D87687388BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031353Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:20.848{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031357Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:23.844{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B66AA081280E9A6A223B415FCE0C5E,SHA256=FFBCD5A72B21703B8B5A0FE2B8878C89AAA7427D9D4FE5B400ABB27AB8F7FA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060518Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:23.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACF8812DC68AD8F763B0D1C646E4B89,SHA256=57FF6D681BAB1D0316CAB7663F4404DF0D380AACE598A25902C46DA757346415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031384Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:24.875{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D87E1A332E6E67E3E1A184206629E,SHA256=00E8C3BE9AF458590AD65521C2055B03C6D516386C3ECD2F72DC6F7FB792E0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060520Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:24.934{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-4719-6092-0C00-00000000BA01}608C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060519Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:24.669{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16318AC41E639F1E27176C50BB2E3ACF,SHA256=ECEA72831C407887889E401E09AC644A94EC1DF1811287C0CCEE9E36006D54CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031383Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:24.375{04D9AEC0-4952-6092-0B00-00000000BC01}8642820C:\Windows\system32\lsass.exe{04D9AEC0-4950-6092-0100-00000000BC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000031382Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000031381Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000031380Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000031379Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000031378Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000031377Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000031376Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000031375Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000031374Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000031373Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000031372Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000031371Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-host-273 13241300x800000000000000031370Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000031369Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000031368Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000031367Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000031366Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x60927a8c) 13241300x800000000000000031365Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x609278ca) 13241300x800000000000000031364Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x60927384) 13241300x800000000000000031363Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x60926c7c) 13241300x800000000000000031362Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000031361Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000031360Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000031359Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.15 13241300x800000000000000031358Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 09:59:24.032{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000031390Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:25.907{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3B642069034EAE1683EA0B79A51AAE,SHA256=7579152BC5BFCA22A780FCE22256266D2BF4DAD15B13DE8338D27391F95BBBFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060528Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:24.328{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51634-false10.0.1.14win-dc-763.attackrange.local445microsoft-ds 354300x800000000000000060527Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:24.212{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000060526Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:23.992{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50981- 354300x800000000000000060525Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:23.991{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal55816- 23542300x800000000000000060524Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B198F5988BF1289FDEB3035974A34141,SHA256=7D9982E5EAB6387419930887DA82A60910D1433849705D489BEBCAB56466B282,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031389Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:23.826{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-273.attackrange.local55816-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000031388Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:23.826{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:601:401:28b1:7ea0:8494:ffff-55816-truea00:10e:6c24:784c:8b64:2470:488d:7302-53domain 354300x800000000000000031387Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:23.826{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:601:401:28b1:7ea0:8494:ffff-54673-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000031386Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:23.825{04D9AEC0-4953-6092-1400-00000000BC01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:c99f:77b3:6593:ac73win-host-273.attackrange.local54673-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000031385Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:23.817{04D9AEC0-4953-6092-1000-00000000BC01}1068C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-273.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000060523Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE5FB17A4DA51708D85954EBD5E6B8EC,SHA256=541090A32ED15C05D33BE804A5D91312D06806FB8CC2D6B033AC0C6796977B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060522Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.388{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CA96B85B6C0CCD6C55083EAEBBC339B,SHA256=A47509B243BA0DC7BE1AFC34B986FBC11992ED9006071F30314E123D3BAE0F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060521Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.200{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060531Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.150{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000060530Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:26.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE5FB17A4DA51708D85954EBD5E6B8EC,SHA256=541090A32ED15C05D33BE804A5D91312D06806FB8CC2D6B033AC0C6796977B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060529Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:26.778{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D857D71BB638CABB5C8D570AA3F3C15,SHA256=1013E28D9475C60C0E265FA0A17FEEC3AC1E49DCC920F70C3028538B30E66C47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031392Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:24.163{04D9AEC0-4950-6092-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51634-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x800000000000000031391Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:26.078{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=96A6B8D1ECCEF76283ED16EA3D21C7CD,SHA256=EC93349E3B9B7B8CFF5486972631BCA6124495E147AB7539A174FD0FB566530C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060534Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.822{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54138-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000060533Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:25.822{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54138-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000060532Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:27.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98AE9ABEAC94A3FFDD4E5EEDD8EF157,SHA256=063B7E8C7FB1FBDAFAF34657CCBCCE21871798985A2E219FB750981C18C44BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031394Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:25.895{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51635-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031393Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:27.016{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9733F557E2638D660D21475A21F220,SHA256=DACC14C8F211E7DC308313E25B1A35CF90DCB5136E774DCFFA7BAE9221A61C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060535Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:28.966{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00DF14A887343FF14534DD5BA9B66A6,SHA256=55B9E302FE512B899F170383D358235FE02E420E9205757BCAE33252FD1AFFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031395Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:28.031{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A1EE5E3B1847F7E8EE0DFD2CCA626B,SHA256=8D7A369524418AFC0BC6A128E984AD88BA7A14F4E1CF6DC4840B8613AE33892D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060536Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:29.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246B1E33459B412830D89348EEC69290,SHA256=C2413891E5317C3BFCD192315C14A91CA0410B92503C7F6C9C0B088DB2AF8D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031396Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:29.110{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9725DD192ED8BDA3C245C267BFAB7B0,SHA256=71E682E973C77609FF2CACCB6D0AECB4092783536F55B6219CB90DCB19129EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031397Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:30.125{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5122223442C4A91C190A181A5C8E6AEA,SHA256=A24BF94FE8828DE7AAB9546CED90390137BEB8DA0353F9C8F406F7F0982FBAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060537Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:31.028{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E7CAC30DD7D96E01A52371782B716C,SHA256=E52ECAE16B050895CA76EADF1034B8E1046DA3913BB98FF0DAADBC20A96DF65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031398Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:31.141{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC32864680BD0DE5B212EAC2EE964A81,SHA256=059A0E5C8970B62B33CDD0E12F50FE63775969147ACCC0E7C49021843F073EBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031400Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:30.942{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51636-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031399Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:32.172{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BB4146C831BD4ABEDCC9C59FD39BA9,SHA256=E37B04843E72A6552D444CB8A5F5234D6807DEE1D61ED6F525617DABB185B9B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060539Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:30.040{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060538Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:32.075{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497C59D4714E8915A9C7335ACA357CC5,SHA256=79B637034DE112731614A5BFF3EAEBD029DC6352D290B8BAE19E50F227EFABC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031401Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:33.250{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0076D56817EBD9E0084C99642492BEB,SHA256=E6D0FEC83F1BB3E4D9E7C71B1A3385DA2107414D15441E5F4E716E437528125F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060540Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:33.106{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31ECD13A7C9C2A4ED2B3AFD080205763,SHA256=88C80DAAE7E487CF282A40E5B8B9178A6955F01818BB646C2B07D4B5A3ED5A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060541Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:34.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34115FDB4614AFA0FF089B3897AB29B,SHA256=E2A8E12F5905E966D1C39EB9E6B645CA9CF2AFB1259DFFFDCA3605A10CDC7479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031402Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:34.375{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3CEDC930162C2D25C443132F0C6367,SHA256=256C028C60CFB0BF791F34A714E253961887E13BC2BF9378A159E346DA2C11DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060542Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:35.309{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7933037C3F8FD9403FB0D5B278130883,SHA256=5B8AE3ADAE5487C9C24D60B902584CEA085BFA2B675E006570FF25D11A9F00BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031403Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:35.391{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C1877B375753599B439C92C2C7087D,SHA256=8AF9E26A0A26D5B5CECCE1D716555CC743EB7D6DEF7893BEA539D2AFBB4F21C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060545Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:36.325{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4349ABC9B17C14A43A3674BD86C5A14,SHA256=BB49C2718AEC13915366B7EB561D22BADCC18662AFB8C0C744F781D7BFFF23C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031404Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:36.406{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AABE0962F144D816068C42657F522F,SHA256=EDF72A298AC8EFD6D35013180DC8C57E1BCD6A58E7915768DFBBBE31D13EF4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060544Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:36.294{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8E61402DCD9E45732665581B26878F8,SHA256=7E3DEDB5EDD53DF6F46FD6C66A64DE2338318FE463A20B14BAA364292FEE9F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060543Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:36.294{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B1A43B1B190534F0F41C5802DEBF153,SHA256=CEF657C0E54DF56F6500BA3DF0D2D9F62AE95A7B075F5F9D286C06DBECC3FCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031405Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:37.563{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E717A4A5F12C287629D4900073DB3D,SHA256=30015CDE61D8B6D54711C17539DE72353DF958AA228CAE2A0492907FEEACE6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060546Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:37.341{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC8DD0111B95533592B943541445213,SHA256=68D3B77A963CB6F7B4A75981E2C1DE415C98E4C9024A21A9C2869800B73F3D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031407Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:38.594{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974E59E4A94C00EB8AA599B45D2A49DE,SHA256=D712D20384B757D89058755181C9E8E2E6DD3714B2F0A33CE06820FAED3CC7FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060548Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:36.040{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060547Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:38.341{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C7C8DFA414FBFBC04F63921A251747,SHA256=AB676D23C2656354D929B9B755D217E4C9C2266834B383BB1E39ACE85C077AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031406Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:35.973{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51637-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031408Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:39.641{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AC543035A7E589AFC88C6192C23F75,SHA256=30DA2F4B3DA4365427B8E828DA5B67A7C72A4AA97BD6392F9812F74A9DC49896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060557Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16B96951115EDB1190887DB19B924DA,SHA256=375D55A8078566C113C21033AC9B83A71ACF376056B8FFBCD4F58ED83FD25737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060556Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C8B-6092-6509-00000000BA01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060555Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060554Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060553Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060552Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060551Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C8B-6092-6509-00000000BA01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060550Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.356{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C8B-6092-6509-00000000BA01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060549Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:39.357{B13AE1A5-6C8B-6092-6509-00000000BA01}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000060576Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C8C-6092-6709-00000000BA01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060575Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060574Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060573Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060572Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060571Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C8C-6092-6709-00000000BA01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060570Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.653{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C8C-6092-6709-00000000BA01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060569Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.654{B13AE1A5-6C8C-6092-6709-00000000BA01}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060568Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7903FC9E8F1269CF68094F9AF12BBD,SHA256=2D98291B545DF283CEF4C8D8FB48285D475EDD04F51506C9D2363E3A086F9684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060567Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8E61402DCD9E45732665581B26878F8,SHA256=7E3DEDB5EDD53DF6F46FD6C66A64DE2338318FE463A20B14BAA364292FEE9F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031409Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:40.656{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60541A6250A6F879288CD3D3F46D692B,SHA256=8E9BEEE7158469A57613DB4B2D358AD21AD5B9974D77535AC9BDBC0B5FC438D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060566Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.169{B13AE1A5-6C8C-6092-6609-00000000BA01}58967964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060565Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C8C-6092-6609-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060564Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060563Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060562Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060561Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060560Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C8C-6092-6609-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060559Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.028{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C8C-6092-6609-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060558Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:40.029{B13AE1A5-6C8C-6092-6609-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031410Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:41.687{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE41043402D1157F39F544B2072FFB01,SHA256=57A853EA371BE371B6AE772D4E8EF7F27DAEFD057582CFB839FB3D3E9A1137B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060587Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.903{B13AE1A5-6C8D-6092-6809-00000000BA01}63968188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060586Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C8D-6092-6809-00000000BA01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060585Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060584Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060583Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060582Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060581Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C8D-6092-6809-00000000BA01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060580Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.762{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C8D-6092-6809-00000000BA01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060579Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.763{B13AE1A5-6C8D-6092-6809-00000000BA01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060578Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.716{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B34B62CD751401969E99A23C787AF805,SHA256=D954100A020CAF1A03599A13C000713FFD19000B0CE80149D73CDE7E88ED7C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060577Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:41.372{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE377651FADC10605755AE99AB4A1E63,SHA256=AC7B114F8D26F3C63B79038BD4F1DCDA2D52B71EF43862FEE589B73A3EA09914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031411Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:42.703{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB882ADA57E8DEEED8357AA8E6DB153,SHA256=2E2E61136BA1519A657B26F9C47C91423BA7DAB663EDC01A0ABE092199EE3515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060598Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.778{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FC9EF24330726EC517995AC80A0CED,SHA256=9D53E1325F214D025773B2D6C0E7CF05D5205788BADEFE3B2A2EB980D53E13C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060597Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.591{B13AE1A5-6C8E-6092-6909-00000000BA01}63007412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060596Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C8E-6092-6909-00000000BA01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060595Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060594Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060593Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060592Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060591Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6C8E-6092-6909-00000000BA01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060590Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.450{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C8E-6092-6909-00000000BA01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060589Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.451{B13AE1A5-6C8E-6092-6909-00000000BA01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060588Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.387{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E44F729C98E06DB8742F9569279B15,SHA256=BCB9824943646125125A94ECD49E428C7EE37E21F273BA2E401D2E7845A0DE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031413Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:43.719{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406B704DAA3061DCB89066B1496DF63C,SHA256=E7C4198BA7C8C2928916B5044799469C1EED95358283564893510CACDB9CCCCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060609Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:42.056{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060608Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.403{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A443319254DCF1E75D1C2C0985FFD38E,SHA256=3CABB7413A653646E06D1AE73DF03CCA220D631CA67465460130130D241CF328,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031412Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:42.020{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060607Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.278{B13AE1A5-6C8F-6092-6A09-00000000BA01}30887156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060606Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C8F-6092-6A09-00000000BA01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060605Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060604Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060603Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060602Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060601Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6C8F-6092-6A09-00000000BA01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060600Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.122{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C8F-6092-6A09-00000000BA01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060599Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:43.123{B13AE1A5-6C8F-6092-6A09-00000000BA01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031414Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:44.719{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7172CDE0B341456396944459671E24C1,SHA256=B46BF8C8A4DCEF63BCF823E580AF9D5F8BA3612EB175EF9170919219D980AAC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060619Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6C90-6092-6B09-00000000BA01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060618Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060617Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060616Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060615Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060614Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6C90-6092-6B09-00000000BA01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060613Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.575{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6C90-6092-6B09-00000000BA01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060612Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.576{B13AE1A5-6C90-6092-6B09-00000000BA01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060611Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.497{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B819192C5ECD5966EF992DD283C18B,SHA256=EF839FDFFE8E8AD9C8C326CC0F065CB16B7047F1C08E2E2F15B70800E8A1DE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060610Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:44.153{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA329698467E28A63F183924A20422A,SHA256=4DB6F5FBE807C418E127090406CA858743ADF4F5EBC32D78BFA77F802FD28236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031415Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:45.734{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD03C7C6B44E89F71BD8A9520B8D3412,SHA256=3183F65A602950059DB8CD1DEC98464FA20E8197ADD3B27BF2ED8D80F2C34A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060621Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:45.591{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D2503680F9DF0CEC74E93D9BE5BF598,SHA256=0C1BD61DA56A2309A8C3E72052D83F5FF6DC7E7CBB8A1F2CA7D99E0CCAE79637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060620Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:45.528{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB588E602AA5FC62ACF8BA483C262F4F,SHA256=E7D7B488B5DA5808C2348D5BC3362ED9A10448874E3C6F20F4F5E98AA4BB97AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031416Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:46.750{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74269E0BAC0D8A013E3214CD854D1CA,SHA256=5F010DF49EB876A91C012F494AB701B00FFFC23534DEEBB51EF5C21F29EBF71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060622Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:46.544{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324F9A4583D4CC212B502D7DC29012D5,SHA256=805D41C1266B72F6699CBA7602F660935DD473A11A77AA1090F38E6F92D917EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031417Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:47.765{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8229E09FB9F4281EAD97028694DBD23,SHA256=C6B8013BE1DC8CF50855EC6964ED89EDE48F6E7FAB6EB4903A8FEAD6E5C9BE43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060623Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:47.575{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7358060403BB0299A9B3185B26831294,SHA256=914B72BCFAC0AAB160B5DAB19F19AECC9419F668EEC98F6DB07DFA284D26CFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031418Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:48.781{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC5326AED76C7ACC8057EB52034FAEC,SHA256=F270EDE7EA45656C675771F7ACF14813CBEF6C977A5319DD3F5636C8E859132B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060624Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:48.606{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E67AB8A972FF4332A15E5F70EDACD8A,SHA256=C87E99963E635704C0377B230DC4F32DDC5AF6DC3FF0424001A0684C1290B976,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031420Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:47.894{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031419Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:49.797{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917576A84A516A567B6535470485C25E,SHA256=FD399E446425F4ACAEF6AFE5F46D8F5CAE4C49142D0126E22BB4A8CD9DA34045,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060626Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:48.087{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060625Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:49.622{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B77A96DD2E96800B7AC994240BE71F,SHA256=141B5E9F3AAD01F2A92695391204EAF3C1A775B878338BE8AC20837AD230B4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031421Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.812{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F201B4FD3A7743C0F3350BE14CEC368E,SHA256=29B7CEE01EEEDF91B4260420D1AED5327CC9F02735C4F1AB6A4405C447C198B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060627Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:50.637{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E5B48650343875DF8E8EB6DC989821,SHA256=417CBCFE7B86CB0CDF93042AA7A974047D62C5541DE818C3E9ABCBBFA63A41BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031422Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:51.828{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598DCF0AEF34B7244D44F264AC8723F6,SHA256=432E290336325A9CC25A6E3D9F8547DF2F20DC8F62FD942C1621736B1A6AA830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060628Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:51.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460D071D4F9C354D752468C65B5A0BAF,SHA256=16BD0EF604C77DCAE8A8C76CA2FCB9FC40F3BEA356786065E654B3CF6C7A6B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031430Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:52.953{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F808EBF48682C0B21B8DBB8D55DA487,SHA256=8566E1700E3C086923491AE10958890325CAB11B4E6FCA381D144162F94EEA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060629Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:52.809{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F238B5119A57FE7F2A099FDAB749098B,SHA256=F996870C257708C895B6D3484E77C71BC2FAF3701E42B5CCA2C1E6B92989FD37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031429Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.199{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27588-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031428Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.160{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26959-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031427Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.115{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26323-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031426Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.073{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25657-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031425Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.047{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25230-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031424Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:50.006{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24403-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031423Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:49.964{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23628-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000060632Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.840{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6CD23D5F0A19E30AD784646B5395A6,SHA256=45BD0A2B180D96B4D12BD789FA394F72B360D9EF4E527F9DFC6DE0E1A0F6B155,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060631Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:51.935{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-763.attackrange.local56565-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000060630Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:51.935{B13AE1A5-472A-6092-2D00-00000000BA01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63239- 23542300x800000000000000060647Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:54.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D76F4A2A1E44B7511E84A99FF9083,SHA256=6D499883528916BC833F14D1EC2837821A420CA47B7D91F7C00C539995F9CD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031433Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:54.656{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EBAC51AC31043508B29F2AEBA4D554A,SHA256=4BFAB4467FB6478061EDF13663B461509A672CAADC726B825A1972C9428494E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031432Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:54.656{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A615F2EE6B9368FEF85C3FD6E0EE951,SHA256=52858F1F739C7079A2D930EE33E9DB011CE443020F185BB06300D3B5012EE845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031431Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:54.031{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF7A3C6D9499E8F3475789D9FA61539,SHA256=8CA9307CF653DE3456357C5172A78F289C3A0C9274A8238BC69877EE1923C702,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060646Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.594{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51649-false10.0.1.14win-dc-763.attackrange.local49676- 354300x800000000000000060645Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.594{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51648-false10.0.1.14win-dc-763.attackrange.local49676- 354300x800000000000000060644Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.594{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51647-false10.0.1.14win-dc-763.attackrange.local49676- 354300x800000000000000060643Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.593{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51646-false10.0.1.14win-dc-763.attackrange.local49676- 354300x800000000000000060642Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.593{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51645-false10.0.1.14win-dc-763.attackrange.local49676- 354300x800000000000000060641Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.592{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51642-false10.0.1.14win-dc-763.attackrange.local135epmap 354300x800000000000000060640Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.592{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51644-false10.0.1.14win-dc-763.attackrange.local135epmap 354300x800000000000000060639Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.592{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51641-false10.0.1.14win-dc-763.attackrange.local135epmap 354300x800000000000000060638Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.592{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51640-false10.0.1.14win-dc-763.attackrange.local135epmap 354300x800000000000000060637Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.592{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51643-false10.0.1.14win-dc-763.attackrange.local135epmap 354300x800000000000000060636Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.481{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-763.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63240- 354300x800000000000000060635Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:53.087{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060634Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:54.356{B13AE1A5-471A-6092-1600-00000000BA01}15726492C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060633Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:54.356{B13AE1A5-471A-6092-1600-00000000BA01}15726492C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060648Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:55.887{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF7262B972F0FA1CBF7214516218078,SHA256=4BD6CFB66A6D1842DBED443272847FDB0BC0A82FEC5E14250FE320D336BD8F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031445Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.429{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51649-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x800000000000000031444Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.429{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51648-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x800000000000000031443Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.429{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51647-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x800000000000000031442Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.428{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51646-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x800000000000000031441Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.428{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51645-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x800000000000000031440Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.427{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51642-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 354300x800000000000000031439Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.427{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51644-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 354300x800000000000000031438Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.427{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51641-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 354300x800000000000000031437Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.427{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51640-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 354300x800000000000000031436Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.427{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51643-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 354300x800000000000000031435Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.316{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-273.attackrange.local63240-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389- 23542300x800000000000000031434Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:55.078{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F96DD7B550BF88C2B6CE61CBD9E3B37,SHA256=435D84E9BFD51EB9819D7A461E3CE6BD52818330122B6600030ACA05B22CFED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060650Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:56.919{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EC1F58A8A4A44B79F198CAC3000D10,SHA256=A582AB10464C65BACE82200EEB5C63F4D638957E90209B0822F2A703FC082369,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031451Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:54.852{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29415-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031450Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:54.614{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28815-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031449Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:54.511{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28219-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031448Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:53.879{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031447Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:56.125{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B7698BBCC0982844AE4B6453F5956A,SHA256=64C01148A38A4836F69C293BCA81F1DEAF5515489FDDC53F4E64B4DB449B3095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060649Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:56.700{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1194F5F713B661F5F27524A1F6A483DF,SHA256=EFBF5B681691D50102F7ABB7130D8CCABE8FC7750808D0B45ADDA3064391C428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031446Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:56.000{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EBAC51AC31043508B29F2AEBA4D554A,SHA256=4BFAB4467FB6478061EDF13663B461509A672CAADC726B825A1972C9428494E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060651Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:57.934{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACFF39B3B858AF479021BC2B2EB6AE6,SHA256=35901E310A4BAB53DC2D91DC04B84ED4187B44F6E70D66BBCEDD1EC6CFA97BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031456Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:57.531{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26535FA8F775CE824469F61B66728EE1,SHA256=AA64328C1944913456ED3DDF5E14924C0937A52C02096B41064E4220C44B76E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031455Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:55.500{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31209-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031454Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:55.205{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30611-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031453Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:55.003{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30013-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031452Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:57.140{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A99B062815C4DCEDCF84EEB10C2BF32,SHA256=67DE3E593CF825F34836DC935BF595649AB2D0AA572AE8AA08D4A1D431EE4925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060652Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:58.965{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5465854B2A4A78A65FE65DC148740D7E,SHA256=12AE9046DA7B7304B2C4EDF778091CBF01E14C79FCE1DC5279F3E725D695F7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031461Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:58.562{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FAB9E41C599773C2B36A7B9130F88FA,SHA256=D807355717FEC220A8A430BE46FEE0DF1889AA780677560C60C8169C5C209660,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031460Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:56.685{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33003-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031459Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:56.429{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32405-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031458Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:56.051{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31807-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031457Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:58.156{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC18B93B8FAA5FDDF4D184308626DB0,SHA256=018F3FF2C1C1A4E806AF8B07EABB74A339D4EBAEB827DD3A0C0A4CF6932D00A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031466Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:59.765{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB1D312320CADD204A416EF565D6FD2,SHA256=B922A3BABE2A50266E46134EB5AC969797DDCAEBAAD75F99C8D159FB2A58ED1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031465Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:57.920{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34797-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031464Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:57.535{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34199-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031463Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:57.087{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33601-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031462Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:59.250{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839F3B2D9433ECF248D1260E7F458171,SHA256=E5270CF670206F14D345BFD7E398D90BB5F044ECE05C0AA02E4B28F6869F1CC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031468Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:58.287{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35395-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031467Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:00.375{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC5A013638F86DE295F73786E8BA1B3,SHA256=34229834BD88A05397EF4B99977253B18C95072F5AD4A2C668952EA0B589A7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060653Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:00.028{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59636D9062E9A6531D93EFC865D34AEC,SHA256=C5E14AFB9CA7A8D4A9CE2236AAB3D321D78B6E0F81AF995AEF7D9894CB12493B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031474Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:59.674{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37189-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031473Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:59.269{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36591-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031472Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:58.894{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031471Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 09:59:58.812{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35993-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031470Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:01.406{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0879EEC7556EC91E311F20CFDA7626,SHA256=8E9310325E690B558E6BF1E4658A62967D557650BF4E2EA008969885E667F3B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060655Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 09:59:59.102{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060654Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:01.075{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10E2BCB5F5873A42CFB087ABC9FDC27,SHA256=24D7BA47CE82572FD64DBA7AF3FCC967FC7E4A8EFB2DFF74A49A7355413781BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031469Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:01.156{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D817E6C6DDFBF4EF53DB535C88B3AAA,SHA256=D3248FFAE4DF8EFA130A98F98E97A33E53848FDBDCDD46327FE415CBC5DEEB97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060656Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:02.153{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29511ED1119D51C6E79FAD2C6C01351,SHA256=855576AB4102BFA69F7755703E6E2A9F279C68B76CB0BACA8E9061668EE17E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031476Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:02.453{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF54CFE38C0345CE5AD548FF523811B,SHA256=4CA285061C776C1545E161A658542D7469481ADD9093F9DFA05938B75727C122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031475Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:02.203{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0586DF2F66FC5E86DB1DBABE8A5D942,SHA256=63ABE70F8A52B384523B2D90A1DD3FCBE1E2E17CD00E357EB9A37D1623FD2447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060657Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:03.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BF538FAE2F3C6D58941F7992F327B4,SHA256=D811BA9ADCEC2CCE59723DF711EABC505944ED3B777BB9A02531A6937C3AB008,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031482Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:01.815{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39581-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031481Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:01.210{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38983-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031480Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:00.721{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38385-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031479Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:00.202{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37787-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031478Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:03.468{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F213FFBB2810044FDEBCB89D23229B,SHA256=A9935DAD64CB9F3E88A3ED3712D1097019D792A5D2A84E646D4F9B5F5FA9B964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031477Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:03.296{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B023B87DE06B926F64B4E271E146C493,SHA256=E8022694D81FB2F2595E3062A4E8DBC1E3992C81EADE52FC59AE500E21EE9C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031486Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:03.022{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40777-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031485Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:02.399{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40180-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031484Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:04.515{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24EC1361AEA9ABBAD728B1316ED5F79F,SHA256=527507D86AC2A17E4DE770DF176359F7B55C63F5D7938647ABF9AC1D04B6936F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031483Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:04.500{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C14F070855AF80A1B37BE90C4E2337,SHA256=9FA8450776B63C6CA0018EB858B9FDEFFFF2DEC34CA378C63F891522BE2F8A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060658Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:04.231{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34609AAA9F302D06933822236D4864B4,SHA256=B200313139866C734A71E1A58F79FD732C9301B5704A5C3627E14479110D19C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031490Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:05.859{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F86B19DCC8483689A4B83558A91D29,SHA256=ED0250B73D73D4FE99BDEFB0DA90909ED5E5DE652BDCC5663F325057596B546D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031489Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:03.925{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51652-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031488Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:03.694{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41375-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031487Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:05.546{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A942C4582A35E53A68D85B29A339EF8,SHA256=CA6DB760F4897F0EB15B287C009AB890B7DF4D1E33D63B534A125B2F76BD3340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060659Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:05.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC53556B8B0F7BCD3E0B09F13D261D6B,SHA256=B8C740A08F665F32478AAC6E33C9471AF8DAF43A5A9FC1D3D0D5D3DAAE517B56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031494Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:05.203{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43139-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031493Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:04.985{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42571-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031492Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:04.374{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41973-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031491Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:06.593{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3745E56A64DD34A16ABABE60487833B3,SHA256=6FBED37C396D46D0FD91F457C0A1A6154D391C1E6CC0C0A97304D193AC91AFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060661Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:06.278{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3F52D55A5480BB04741396A49FD19F,SHA256=C2E21956C80DB45D4D1660982D0080193A90C3F254B14192C13F21F676DBE2D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060660Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:04.180{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031497Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:05.829{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43651-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031496Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:07.609{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619557719396332A7BA1E86CDC256944,SHA256=8F9DD062D847A9A2A0FF07F0305A6A8A705B341B881EA3C5856AE13F76F685D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060662Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:07.325{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFF1A1E64B866AF9A0656F6E91A96ED,SHA256=F1E7F0AB0A08102A2BC0D9CAE883DB8E4FDFB222EF6E93FF8D45EB1142EF5352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031495Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:07.343{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED9DE1520B78591EFF32C8199268895B,SHA256=3DF1D0389383A56764887017FD85C8EA66B1D4032BEFB1FB8CFCAC2239B0E9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060663Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:08.356{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C4A5D0181F21CC7A43734646DFD5E3,SHA256=98ECA91F1FF8ADF6A0326CEFEE6E94BC71EE792703CBF91D3397489AAEBD04BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031501Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:06.859{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44674-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031500Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:06.468{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44163-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031499Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:08.656{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D8CB184AB61433CD3C251381AFC541,SHA256=032F8A62D0F58D29DDC57FB5B6C6CF0E09EF96D562A73DA0533443C34DC49095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031498Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:08.375{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E12C8685728CDBF2CC6C5B96AF48EACC,SHA256=58DEB0ACFCEF6AA2EEDB6E1B86544C06A34BC9847D15DC22C58C89B5A0881315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031504Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:09.796{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88B09B4F3C369C97A015017D583BE68,SHA256=67BAE3825AAE4C332B15B1FA8EC90BB844A4D7C16B5F0ABBAB4BB5BD2E57DA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060664Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:09.450{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BF4C6717FFD451C785A6B2E9064C9D,SHA256=9E112FC9CC7C9EBD80487F0A1F556ED2B88091A3A58D19CD29602BA62D8F6D0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031503Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:07.395{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45187-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031502Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:09.453{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290C5424705B44792C324A72BE1540EB,SHA256=C75882BBB60C7B84B07E1A6FDB3865D74735BBE6959C3A090247417D6880AF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031511Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:10.937{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22DAA86002B42BB42991A44D369ED141,SHA256=826A83318742516D91C6766B75EDE8BDBE389F85289CD6F88AF2AC40562AE904,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031510Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:09.452{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47236-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031509Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:08.957{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031508Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:08.938{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46723-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031507Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:08.413{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46211-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031506Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:07.943{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45699-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031505Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:10.812{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC8DE632C51E0E11E7FE2BC83AECB47,SHA256=053FEF698317AE51E3228045A70629C321448DA840ADBD43C710218CA903B2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060665Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:10.497{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32533243E614ED655EAF96EEB4930FA5,SHA256=859294A699E8E8C1FB1B07638DCFDA68CE6C33D8D37E41407671E1F121F5DEA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031528Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:10.123{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48260-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031527Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:09.773{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47748-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031526Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.859{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD6BA8ABDBFD5B077E1BE201ABA6969,SHA256=142A313A798107BFC095D014ED61D5F1A42E9D8439205C7D1A4A8871C6A045FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031525Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.859{04D9AEC0-6CAB-6092-F404-00000000BC01}34201168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060666Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:11.512{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB7ED4C34915651EE6BB056CB66E082,SHA256=C974E4F02AFCC9163F37D8BB9A84AD950E1A68899A76FAD1286DCCF7633E5686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031524Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CAB-6092-F404-00000000BC01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031523Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031522Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031521Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031520Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031519Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031518Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031517Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031516Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031515Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031514Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CAB-6092-F404-00000000BC01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031513Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.718{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CAB-6092-F404-00000000BC01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031512Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.719{04D9AEC0-6CAB-6092-F404-00000000BC01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060668Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:12.528{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2142E90972B8E38D707E0304EE910AC,SHA256=4D2EB98FEDD24B576090E808A8D11D1C895FEE5D493A9F876AB900151FB825E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031546Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.280{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49800-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031545Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:10.960{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49283-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031544Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:10.521{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48772-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031543Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.874{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69FB7EC0C9FAD9EEABD8BBA2066B3D9,SHA256=72C2D1AE728390EB8AE3AE279020D7A3697CD06C734AE7FC993081D0B015AB5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031542Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CAC-6092-F504-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031541Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031540Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031539Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031538Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031537Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031536Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031535Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031534Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031533Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031532Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CAC-6092-F504-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031531Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.390{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CAC-6092-F504-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031530Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.391{04D9AEC0-6CAC-6092-F504-00000000BC01}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031529Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.999{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE34988F0BE1E87C881666D1A30FA673,SHA256=54F392220E609C0E6FD23DD967AD47FB88F83C2733FC80677199EF32FA6CAEFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060667Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:10.196{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031577Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.301{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51331-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031576Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.915{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50820-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031575Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:11.582{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50310-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000031574Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CAD-6092-F704-00000000BC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031573Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031572Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031571Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031570Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031569Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031568Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031567Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031566Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031565Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031564Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CAD-6092-F704-00000000BC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031563Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.906{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CAD-6092-F704-00000000BC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031562Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.907{04D9AEC0-6CAD-6092-F704-00000000BC01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031561Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.890{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09004DBF2F5DF0464B81F2007B3FF6C4,SHA256=FD28290173ACF877E9D56D0C34A029EB2D055B3C14DF94EC2BC2225F1D756BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060669Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:13.590{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B88E0CF55A10F72AB7E08B95FB36D74,SHA256=63B6B9DD4DBA41856980C16DC0BFC456A13900ED8B2F088BBA704CC4E5EFC043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031560Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8DBBCF3E6E2AD3804E09BE884A2B05,SHA256=71908CC7131607AB5284DD143DBF7EB9F088C14C0285B2C086E127985E5B98B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031559Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CAD-6092-F604-00000000BC01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031558Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031557Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031556Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031555Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031554Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031553Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031552Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031551Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031550Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031549Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CAD-6092-F604-00000000BC01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031548Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.062{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CAD-6092-F604-00000000BC01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031547Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.063{04D9AEC0-6CAD-6092-F604-00000000BC01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031584Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.181{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52860-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031583Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.903{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52351-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031582Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:12.598{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51840-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031581Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.984{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031580Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.906{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B339CC4C6AAAF47161227B627D7EA3,SHA256=494F16CBF1B916EE27437D81DAD5CBDC1DB36F3E78AFA936FA1B83BA4E2BD70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060670Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:14.606{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF51CDB3161E0B3B931255959815A04,SHA256=0C62D83CCBE7D837F9381C1F40927B066917FC438CA058D21323D047FD909A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031579Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.078{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE9F6DAE133A022ABF655FAE95EBB94E,SHA256=EDB7428F69A6892E634054DB65294059EB78DBD79C9EF98690D46FF7441F715C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031578Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.046{04D9AEC0-6CAD-6092-F704-00000000BC01}35442292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060671Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:15.606{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32F9DCD552B5208647AC62B7DDC0D0C,SHA256=5440AC226AF31ACD73D3365122318472E17CC8FD6791EE1C789FCD73C95C5DB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031613Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CAF-6092-F904-00000000BC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031612Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031611Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031610Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031609Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031608Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031607Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031606Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031605Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031604Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031603Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CAF-6092-F904-00000000BC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031602Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.890{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CAF-6092-F904-00000000BC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031601Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.891{04D9AEC0-6CAF-6092-F904-00000000BC01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031600Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.374{04D9AEC0-6CAF-6092-F804-00000000BC01}39962644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031599Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.296{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAF3A72D9DF0ED9E6C00A5C48236063A,SHA256=619A453165FD02266B76A136354C76BB85D134A78424ABFAFB6BB3C9523DC4BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031598Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CAF-6092-F804-00000000BC01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031597Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031596Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031595Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031594Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031593Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031592Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031591Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031590Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031589Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031588Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CAF-6092-F804-00000000BC01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031587Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.218{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CAF-6092-F804-00000000BC01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031586Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.219{04D9AEC0-6CAF-6092-F804-00000000BC01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031585Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.503{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53369-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000060672Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:16.622{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EFC147BAF73C0E88D86E117EA63963,SHA256=D01C4A65EAC47629D2FCDBAC9AA30C6D4191D14DF4DB1040EBF1BD15370C5D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031633Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.468{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7E18ACD17B9E51C22C9E41C872DA1C0,SHA256=D62DB5BFF8FFD80D272A7B6C2489B000FAE5E957988BC21897491BD402D66EB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031632Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CB0-6092-FA04-00000000BC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031631Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031630Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031629Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031628Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031627Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031626Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031625Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031624Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031623Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031622Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6CB0-6092-FA04-00000000BC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031621Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CB0-6092-FA04-00000000BC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031620Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.455{04D9AEC0-6CB0-6092-FA04-00000000BC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031619Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.453{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FE7B9C6F96CAD3AFABA06E7252858D,SHA256=869E0B7F60F69AF75F89695BA59A732190B07C8E0C72CE5BE79DFC09A029BE1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031618Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.387{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54895-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031617Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.100{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54387-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031616Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.988{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51654-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031615Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:13.817{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53878-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000031614Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.031{04D9AEC0-6CAF-6092-F904-00000000BC01}3680892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060674Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:17.700{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C929291195DC0AC3A56C7570B1379264,SHA256=DFD2A0E5DBCDDD05BFF0EAA7A4252D2D65E15DC7924FC68BFCF7AAED0C5BC291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031640Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:17.702{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1B8D47669AD60953F85E10D637E2D3,SHA256=CD9825A4233D6AE3ACA760A0CDB4828F1E4B6EEF4BB8AF91160D083E499B9D9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031639Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.510{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56932-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031638Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.242{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56423-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031637Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.950{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55914-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031636Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.753{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000031635Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:14.657{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55405-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031634Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:17.077{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92845E5F4CD721788A028383B3AF410A,SHA256=6943290731ECDF0959EA13B8D2F203BB61FC995DF4E76055DC584C1BD7E39C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060673Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:16.212{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060685Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:18.715{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767E28FEF1429E5DC518AF2A35844AE9,SHA256=78F5DEEC62EA5D0C47DD058618CCEBCB8C0AC74313C9B2D407B52905AF8BABB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031645Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.657{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58968-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031644Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.398{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58459-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031643Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.059{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57950-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031642Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:15.818{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57441-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031641Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:18.109{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF65BD091E180830380400B5795B1F0,SHA256=441FB4D9722A7F780E93CC33AAB536016C46233E9A22C1CDF48E2921D041C156,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000060684Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000060683Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0092f900) 13241300x800000000000000060682Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418d-0x11e78e32) 13241300x800000000000000060681Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74195-0x73abf632) 13241300x800000000000000060680Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419d-0xd5705e32) 13241300x800000000000000060679Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000060678Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0092f900) 13241300x800000000000000060677Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418d-0x11e78e32) 13241300x800000000000000060676Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74195-0x73abf632) 13241300x800000000000000060675Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:18.090{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419d-0xd5705e32) 23542300x800000000000000060686Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:19.762{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554673AA85DD3854F2512E14258A9214,SHA256=426ADB891D8E57D2E43DCC50858B2A20213B709C3EB50C8392BCDD81952AD823,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031650Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:17.681{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1518-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031649Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:17.187{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59986-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031648Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:16.914{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59477-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031647Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:19.124{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8563AEDD6904F3AD7FEFFAF9DCB9A,SHA256=CB4B311F9E20958F06F75A3E00DC01CE555243C8649BA37C017AD2F6952E1E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031646Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:19.109{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0342BD9B132CA5C364EBE4B25D90883,SHA256=B6C8EC6EF32DC3A3DCE5F44ACFD9AD6FF9FC575231675A67D7C29074F6E30CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060687Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:20.809{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BFB377AB159315857D92A38DA33EB,SHA256=78A299E3CBA7B1C8B009B1B23F8C3D571175C7F9146F55C17E57D021756FDE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031654Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:20.827{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8B8D91577432464E1A21CF04E8B571E,SHA256=946795D0A735D895AFE2D40EF5045269B4622611D6E0E6862498F075AAE7177F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031653Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:18.848{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2534-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031652Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:18.198{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2026-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031651Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:20.202{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3E894ADED779CB68E4192D0A0CA81C,SHA256=6E726BF47C9E8A3BE9034DBE7E1A261B327D692FDF96D5F457CA4C32A4B5F105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060688Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:21.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE92084138B5904D5C52BE8350802D13,SHA256=62DB2190FF9CD0F269B59AAAB3BCFD37A75145D408A004194BF90BEA02CF2574,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031658Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:19.831{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51656-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031657Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:19.572{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3551-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031656Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:19.227{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3042-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031655Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:21.218{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D780DA04FA53262BED3B1CA09E1D22,SHA256=0D01DE14381659939492424394E69A69E6DAE12C46618ABFFBDF1EDDF58C1E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060690Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.887{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9ED447B6D93F3521406CCA47F94230,SHA256=BD79A4D22DA5C6E8E0E4AAD9ED973F90407E8861B5421D7577ED6BD18A123BE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031662Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:20.631{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4567-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031661Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:20.053{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4059-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031660Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:22.234{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0682EFD0E48E896012C8072BAF1141D,SHA256=9064078F9E231BFF163A35FBACF021AF71AD36FAAC88373963203C4F6D4FCEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060689Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.700{B13AE1A5-4718-6092-0B00-00000000BA01}8604296C:\Windows\system32\lsass.exe{B13AE1A5-4716-6092-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000031659Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:22.077{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED0758F67203313FB25639412A386AEF,SHA256=3276EFE980D2D3D1F734C0162840133D6423AA958B6395077E38F22D7C7AAD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060694Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:23.887{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A85166DAFAD05A89696F568C3F923F6,SHA256=F7AFA73D56A0062BF59F0A0B813D76969DBB53FC28B7EF99C001994F953D3225,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031666Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:21.767{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5584-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031665Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:21.222{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5074-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031664Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:23.249{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C451E98C823296E80D4E949F6C2836,SHA256=5328D82E12C8D729743B3C1E541CCA80E23AAADDCB88B1D767D090A53E671BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060693Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.055{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060692Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:23.606{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7745DC63016C13265ACCD85F97FC5841,SHA256=368F3A8B32475B712A08C17AC40168E8F3FF92ED556C5316E429B1D5E6883F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060691Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:23.606{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6798E95ED27CE95074E59C47B8A7CD8D,SHA256=1B79A4399CDD5165AF16AB6E32FD736880140EBF17B700F952BE571572D46D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031663Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:23.171{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DE286045EFE7D60EC2F784B7EAA9D87,SHA256=D51E65D16F4B1DFAEBCAB9BA394A47D60CCC99F99DC76304E850711CA144F1D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060701Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:24.903{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C82ED3AEAD738A3E3C8E33CECD9AF94,SHA256=DA0B38B6BB396DF57D9478B964082F88152D11FD3062517D9F4318787A681041,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031672Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:22.876{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7617-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031671Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:22.665{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7109-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031670Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:22.427{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6601-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031669Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:22.077{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6093-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031668Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:24.265{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109ED5615735064AFAEC09BFAFCA6D68,SHA256=47966599665884820AE5913F7979121A633C6C5F45C046FBB1A7C3C5B89C60F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060700Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.668{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54151-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000060699Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.668{B13AE1A5-4716-6092-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54151-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local445microsoft-ds 354300x800000000000000060698Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.566{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-763.attackrange.local54150-false10.0.1.14win-dc-763.attackrange.local389ldap 354300x800000000000000060697Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.566{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54150-false10.0.1.14win-dc-763.attackrange.local389ldap 354300x800000000000000060696Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.558{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54149-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000060695Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:22.558{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54149-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 23542300x800000000000000031667Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:24.202{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C45F5ED79194ABCF912066CA5BB3012,SHA256=4225DF28E44C6BFC036E0896A744FE480B0B297A9A6CE2A2668C60ADBFD8F491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060705Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.903{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCB8C4095174A9441E1C6DF93949F39,SHA256=01E12B9B1E3B77849CA915A6F7015CED698F4CCC413D215D3A0DD66D9B808987,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031678Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:24.043{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9650-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031677Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:23.731{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9142-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031676Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:23.424{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8633-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031675Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:23.148{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8125-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031674Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:25.280{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A793E131891821FA5D4EAFB78D1079BA,SHA256=F2F3522B5512770A4CA4DF202506A15CEFB33E2C0D7590C6DFE5319AE4F8A0D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060704Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.450{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-697D-6092-9B08-00000000BA01}6148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060703Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.450{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-472A-6092-2C00-00000000BA01}2752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060702Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.231{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031673Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:25.265{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8964B08C12E28036856D721AECA76BA9,SHA256=A1FB43518C8635AE614917E629F3407C9DD5850E3CF6D3B155F64511FC49FFBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060708Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.180{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000060707Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:26.919{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E04EC7F05C4E7DBCE992860C627EE2A,SHA256=5F017E5931585CC77AA642CCED931D64B2350D43410BD1F81F11BF6A96A63803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031684Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.609{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8CF5959A78478E9DE2FE5CB8D5C558,SHA256=E364F105FCA36D9CBC50C46077CF1C9328721B1685D7D22FD0EA18CE7634A5B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031683Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:24.954{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11173-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031682Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:24.631{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10666-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031681Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:24.355{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10158-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031680Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.296{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D774034D15839B8393531732DA582E42,SHA256=0C37C47381140C6D2A10BADE7F4B7BC05C486894B70443CB8DDFFB8543325796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060706Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:26.872{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7745DC63016C13265ACCD85F97FC5841,SHA256=368F3A8B32475B712A08C17AC40168E8F3FF92ED556C5316E429B1D5E6883F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031679Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.093{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C2E1089BE8C41D20331CB7967959B2D6,SHA256=D9AFCFAF349AC528641437F361B625D01AAE63F4066F72ACC90BA4ED37FB2938,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060711Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.837{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54153-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000060710Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:25.836{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54153-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000060709Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:27.934{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67470D08681512B6CE0F82810635C73,SHA256=66EA9E7100948ABD1AEB2CAE456BE0BF31202D25AAAC923E897067C66A7A61A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031690Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:27.749{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C3CBAED7E591E468233A763105C865,SHA256=BA6DD7DCD26C794D960BB8A7B2EFE327E45B7DCF588282B7FDE2CF5B0A20BF08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031689Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.083{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12694-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031688Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:25.862{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031687Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:25.488{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12187-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031686Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:25.229{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11680-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031685Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:27.312{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9230ABEFBD29D5BD08D3EB3798C175D,SHA256=A573C15BB7E837BD9E940616D198C1A2C7D9D8B1FE38EBC8B9ADA51C983AC308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060712Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:28.950{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF5A0F45A8C9495687DA6EB13E0CF47,SHA256=E076C93DFCB1C0384D7CF04DDCA7F5B70780C89D46F741407CB21295B8E422D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031696Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.890{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=036DA93D825EEC8A1AC80ECE97D2561B,SHA256=5CE2F438A6FEF7AFF9AB2E29F15CC2631FC84197021CFC3238B423FA8AAC8F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031695Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.838{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14722-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031694Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.658{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14215-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031693Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.346{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13709-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031692Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:26.166{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13201-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031691Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.421{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E730C468E389728A2056C199E868AA85,SHA256=E20EFB9284A0ABE87582066F968441256D6B4384755DB95780C418D82F4EA998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060713Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:29.965{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D9472A20D6EDD1B17412F5897461B6,SHA256=A9FBC2E13648F4034F047D4058E22C46AAE4EC5A163498413D2279D910474EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031702Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:29.983{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40CFFD2709770BB272C1C6AC9D56C70E,SHA256=98E13A55DD0D1B7317C4830672988EC0BAC70C32382D1DCE3182BA705894C95A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031701Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.205{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16753-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031700Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.035{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16246-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031699Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:27.774{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15736-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031698Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:27.367{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15229-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031697Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:29.468{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20C637684E92E8443D94C17D922B022,SHA256=FB302115E4C09A825FCF7CEE3C2BC1D4391FA9AABCF53293DBEABA89C2E068B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060715Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:30.965{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA84191B28CD940CB3F7E7802DFD847,SHA256=463837E7860A2E7A418F96B88429C2E8D8B2B287E3DB6B06F165A92E24D8C7FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031707Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:29.096{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18782-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031706Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.853{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18275-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031705Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.595{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17768-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031704Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:28.412{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17260-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031703Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:30.515{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECE4CD5C7DB6390539EC03CE31873C8,SHA256=D26125298F9E90CF29C826341B9F881762F518039CFC0997F960BC3521926521,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060714Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:27.102{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060716Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:31.981{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05756CF5663B417C9316ED20A0002B19,SHA256=56CFE1835124B3847E307F49E49B0481FC3B6ABDBB97A99B4F6E1C846FCC2DE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031713Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:30.102{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20810-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031712Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:29.834{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20303-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031711Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:29.590{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19796-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031710Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:29.319{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19289-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031709Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:31.530{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2482C1A0ADE4DC6B67E1616AB4F6D162,SHA256=D15808C1E03A2722A025198B62E7B2BBB07F43F4B6E241060AE6F7CEB83249F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031708Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:31.077{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10FEBDB5581F61BFACA98F9F7221CD53,SHA256=7C29ADD6B280012516D2069D709501E0D912543D966213FAC01FF23EF84A2450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060717Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:32.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E210FFAC687AAF189338237AE16996F,SHA256=19F276D076EB82ACBE9CE5C7A70BCD1867118B7FF51E761A79FCB2BD36E58A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031716Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:30.335{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21317-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031715Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:32.546{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C3698D801289A320E8896CA82F1A2,SHA256=82844007613742B861640CC7FE53A54736352988C2BB8BF843B91A27933E7C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031714Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:32.093{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95F5B13C4FD4915C5FEC380BDC944241,SHA256=F4511BAD77D84346E74FCCDE883689A1BEA08937A2E7CFCE556D7E68707C9C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060718Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:33.997{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2A219878E3BAEACCDB14669D653A46,SHA256=BCFF5FEDBCF05645A87F43A51138BC475521B21E931FE9E57C43E22700B25505,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031727Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:32.251{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25373-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031726Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:32.001{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24866-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031725Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:31.722{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24359-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031724Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:31.483{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23852-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031723Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:31.242{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23345-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031722Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:31.034{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22838-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031721Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:30.925{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031720Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:30.793{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22330-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031719Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:30.552{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21824-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031718Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:33.608{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1F4318AC3DC67C370BA1D3655B087A,SHA256=0FAE0F084AB7283580D197D76DDCABE769818D260936316912684E7BB039F0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031717Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:33.202{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19DE6E760AFB230CB17CDA4B4950EA6E,SHA256=6C51C099A139673D4379314BD12D77DEDDD4753A11D57EC337995D5F16697114,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031733Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:33.256{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27401-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031732Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:33.020{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26894-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031731Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:32.778{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26387-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031730Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:32.538{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25879-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031729Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:34.640{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1D7E98C98852DF02AE7096644FC534,SHA256=13BC2F80F48224C703D8BD7ACED70193ED0B2B82895ACE066862945A30AC5834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060721Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:34.512{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D351DA991ABDE0901A7C5629CB1D2028,SHA256=BDAF5F44C2B72A4792D5E0BB64A29E2C95E9948B9289B1DD3A4F85F1CB13D407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060720Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:34.512{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9BE890C201EAD381F03BB5CBC304500,SHA256=901FA7852A098D46492639743538E325FE984D3A113DCC48315D7E4ADF6A1735,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060719Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:32.164{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031728Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:34.452{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A9985EFDAB304FA2CF13130A7C65A12,SHA256=D932AD49F1C9064ECF609297494A814B806C2618B55023E4C3423AE05B634A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031739Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:34.357{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29428-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031738Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:34.053{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28922-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031737Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:33.808{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28415-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031736Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:33.498{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27908-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031735Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:35.749{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E270E056C2D9F85ACF91D70C75D7EA,SHA256=E6F5B9819B761C8A402534635ECF0B31C7411E32BFEC0B45CF283378D7BDA714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060722Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:35.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABBA5FE83E12DACBD2BF45B84D108CD,SHA256=5D424980244342E88B56815D0F388FC9C899E267A9A6ABEFE2AD37053C5DF859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031734Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:35.483{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9AC49E56C678D3A3C1AA8EF02A15D5,SHA256=921C013E786657785586B31C77F0829350950B4A39EB10DC33DD335B62323518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031742Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:36.843{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4756812D90384B29A87E549D1B7BD3BA,SHA256=DD67FA682E11A53B1DC4044BAC96A1B091A30F0D2CA0BD3813FF32DC2578431C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031741Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:34.602{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29936-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031740Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:36.780{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F24918F4CA415DB947194512E0D0FD7,SHA256=43B00057205EAA6BCE72C4B516152B3CE988DDD7C2C2B618516DBCE7999A5F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060723Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:36.028{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D8677BF977B1398BFD30839106BB70,SHA256=C4B87F5F36BACE8EEDF12C77B31798EB91E54B2C7C347DA566FFFC343610B0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031751Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:37.968{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F10E67BDAF813CD986BE8ED7E6D1E1AF,SHA256=8DE219E88EAF87B1B282D7CB0E81F616B9BCED58DD7319BF16D341622F9AF0C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031750Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:36.428{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33485-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031749Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:36.149{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32978-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031748Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:35.943{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32471-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031747Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:35.700{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31964-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031746Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:35.427{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31457-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031745Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:35.186{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30950-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031744Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:34.848{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30443-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031743Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:37.796{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEF13DF97DDCD2AD168E6636DD8AFEF,SHA256=32871DDBDFB5D6DE96D553D7954E6BF7D7543B782006022D9C58AFA20955E538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060724Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:37.043{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E5CE7FF7F9A87CF84B5C7C19793618,SHA256=5D9E1E975590C6DB91879763497D581563BE654EA744BC39EB9A258F90C85634,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031756Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:37.321{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35006-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031755Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:37.046{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34499-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031754Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:36.956{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031753Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:36.735{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33992-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031752Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:38.811{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB5F7544E9C89F3FC9156C5BFBB7133,SHA256=2582BD4CF317887662690F236F5A113DD4524F1B43ACF69EA1DDB32FE2C3C444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060725Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:38.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10CB9434D5C6AC763D17BF6441A86D5,SHA256=BC4E578C9729B0A2375F7557D12D999EB2CD3DD788165401F5F9CC1F6A1A0616,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031762Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:38.459{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37034-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031761Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:38.186{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36527-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031760Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:37.946{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36020-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031759Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:37.592{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35513-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031758Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:39.858{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFBD8E68310E249D6D911164694F4AF,SHA256=E54B4C1C708EAE5750CD5DAA21C8B39E3626F6C28E20E7D52DD1128CC5FEC6FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060742Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CC7-6092-6D09-00000000BA01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060741Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060740Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060739Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060738Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060737Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6CC7-6092-6D09-00000000BA01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060736Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.981{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CC7-6092-6D09-00000000BA01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060735Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.982{B13AE1A5-6CC7-6092-6D09-00000000BA01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000060734Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CC7-6092-6C09-00000000BA01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060733Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060732Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060731Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060730Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060729Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6CC7-6092-6C09-00000000BA01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060728Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.200{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CC7-6092-6C09-00000000BA01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060727Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.201{B13AE1A5-6CC7-6092-6C09-00000000BA01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060726Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:39.075{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7610E91570EF808061BCCBFEE9B180D,SHA256=ABB30BA9C3F16CB206EA0FFFD0DE2F3714331860FAC00BAC9B2BE1BD1FDEF502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031757Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:39.265{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8E239CB23628026376829ADC7B82584,SHA256=F116A5B78D71D09C704C236B6ED9A691BA6D6E13A7AA170305198DBDF56323DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031764Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:40.874{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D637BA2C8BDF26FE0ED6D2176AC33D,SHA256=EB8AF9C55E0CB4DE8C266330AC8F7D53FDF19198205FCE5EF2FDBF26C05FA54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060786Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060785Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060784Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060783Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060782Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060781Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060780Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060779Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1B-6092-0605-00000000BA01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060778Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060777Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060776Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D1C-6092-0705-00000000BA01}5448C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060775Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060774Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060773Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060772Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060771Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060770Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060769Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060768Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060767Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060766Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060765Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060764Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060763Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060762Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060761Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060760Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060759Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060758Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060757Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060756Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.700{B13AE1A5-471A-6092-0D00-00000000BA01}1004640C:\Windows\system32\svchost.exe{B13AE1A5-4D0F-6092-F804-00000000BA01}4408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060755Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CC8-6092-6E09-00000000BA01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060754Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060753Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060752Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060751Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060750Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6CC8-6092-6E09-00000000BA01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060749Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.653{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CC8-6092-6E09-00000000BA01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060748Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.654{B13AE1A5-6CC8-6092-6E09-00000000BA01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000060747Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:38.149{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060746Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C2BF8A7BB51DB9D83E088B8F855B64,SHA256=02A17DA141DE78CF94626355434A6EF9EF58B6A8809A621AF43FAB1FF4B567B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060745Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D351DA991ABDE0901A7C5629CB1D2028,SHA256=BDAF5F44C2B72A4792D5E0BB64A29E2C95E9948B9289B1DD3A4F85F1CB13D407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060744Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.122{B13AE1A5-6CC7-6092-6D09-00000000BA01}65566636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060743Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:40.090{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034B6E4DEC698907896761862A43D083,SHA256=EEB19ED56ED061FAFD4AFF932302DB753A77C171F18F138065400580B945EAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031763Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:40.374{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB811195307F0E486090687CE457648F,SHA256=4DD52284ED492D85E9A52C89C90DBC3E69738D68CC1190B37982E92EA9EB2A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031770Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:41.936{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F5589F9DC62B421815B437D3551408,SHA256=FF25BA1838397491652C65AD8F3C50951F7B49A1900EE0AE02EF4D9015F546C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060797Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.903{B13AE1A5-6CC9-6092-6F09-00000000BA01}68407260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060796Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CC9-6092-6F09-00000000BA01}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060795Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060794Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060793Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060792Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060791Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6CC9-6092-6F09-00000000BA01}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060790Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.762{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CC9-6092-6F09-00000000BA01}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060789Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.763{B13AE1A5-6CC9-6092-6F09-00000000BA01}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060788Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.700{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C2BF8A7BB51DB9D83E088B8F855B64,SHA256=02A17DA141DE78CF94626355434A6EF9EF58B6A8809A621AF43FAB1FF4B567B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060787Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:41.481{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE407AC7A3790BD72267D5A23BB40955,SHA256=5A1390BD53B1B605CA7208791A23D83E55EF6544BB1A3AB113AD5E3486B10A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031769Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:41.436{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50F07965A109F84F4AB4BCA9FD4F4C4,SHA256=77360AE359EC97054EACF34DF6DE8CE2FA5BC401EC04BF92E4CF364CC8A4E799,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031768Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:39.561{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39062-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031767Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:39.252{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38555-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031766Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:38.938{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38048-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031765Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:38.702{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37541-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031773Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:42.952{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6969F140F2A5E0883F0CBD85E8776964,SHA256=4D6FE00C0A1B1D4236103D36A06FC499AF7C25593A4B2A013D4F836EA6950ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060819Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CCA-6092-7109-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060818Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060817Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060816Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060815Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060814Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6CCA-6092-7109-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060813Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CCA-6092-7109-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060812Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.983{B13AE1A5-6CCA-6092-7109-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060811Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.981{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE4F88F6922725E3627E7A317F3FA025,SHA256=9B932ACEC2BC5AE50A56B93BEA61D067A20C4C3636A77C94AD07BB429CAA39BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060810Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.606{B13AE1A5-6CCA-6092-7009-00000000BA01}87908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060809Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.497{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5255E7F599DB7416727D3232DD717CA4,SHA256=4F189F75293537D63C87FBD04A66E38211CF47B0F72193939FF316C2D3CA3ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031772Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:42.546{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B14FCB68A65D39737F3AD98E1D065B5,SHA256=E6D16A6B4315AEE7792DE5E4567CFDAF59065FC3063EC45DC69C2FCDFF741439,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031771Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:39.837{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39569-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000060808Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CCA-6092-7009-00000000BA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060807Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060806Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060805Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060804Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060803Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6CCA-6092-7009-00000000BA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060802Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.465{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CCA-6092-7009-00000000BA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060801Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.466{B13AE1A5-6CCA-6092-7009-00000000BA01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000060800Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:42.356{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x800000000000000060799Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:42.356{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4\Config SourceDWORD (0x00000001) 13241300x800000000000000060798Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-SetValue2021-05-05 10:00:42.356{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2E6F98E4-AF45-4C1D-ADEF-CB6821383CB4.XML 23542300x800000000000000060821Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:43.559{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CF634A084B3BBD87E45B2F6E1E5F06,SHA256=350132B883EA8FFC1EC37833FC63276ECDAD433C887A2B696379A71E55586EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031780Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:43.686{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE5A5553EEB694B7CE3C2E4895D5304F,SHA256=BB810EA4F7F5A58ECC5FF481D46FFA7C14A5848E47AE47A35CB6BFB69519D98E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031779Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:41.735{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42611-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031778Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:41.323{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42104-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031777Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:41.009{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41597-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031776Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:40.738{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41090-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031775Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:40.385{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40583-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031774Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:40.140{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40076-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000060820Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:43.137{B13AE1A5-6CCA-6092-7109-00000000BA01}79604920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060837Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.590{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085621E5B6DE4CAD7ACD76EF742C73A3,SHA256=C4EE0812A880FA45EFEAD750921049F7B05401A24833F0680151AC249455E4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031786Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:44.780{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64820798906E3633B6AEBDF3312877CD,SHA256=DA7A2AC9777964865EA8CC3655E3B4568598B4DC77A960E090C0DE4FCD554E38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031785Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:42.698{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44132-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031784Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:42.418{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43625-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031783Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:42.045{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43118-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031782Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:41.987{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031781Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:43.999{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F93B87C06B79B3B47FE771AC8F6787,SHA256=ECC8F6E9B1C78C1305041B2B08CA54C60D2DF3973FCDABA7B15064C07DECED59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060836Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.342{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54159-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000060835Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.342{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54159-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000060834Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.336{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54158-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000060833Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.336{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54158-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local389ldap 354300x800000000000000060832Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.322{B13AE1A5-471A-6092-0D00-00000000BA01}1004C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54157-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 354300x800000000000000060831Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:42.322{B13AE1A5-472A-6092-2E00-00000000BA01}2868C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local54157-truefe80:0:0:0:b974:a305:c345:f12fwin-dc-763.attackrange.local135epmap 10341000x800000000000000060830Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6CCC-6092-7209-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060829Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060828Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060827Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060826Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060825Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6CCC-6092-7209-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060824Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.497{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6CCC-6092-7209-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060823Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.498{B13AE1A5-6CCC-6092-7209-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060822Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE3AB5C6C1DCA70D51EC0CE458AE7685,SHA256=A8B688FDE36DC8733542AD91703E79AAF884414B417B0F048FC124B2C0AD0A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060840Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:45.653{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D145EAD5224464DD98516BA4E6E2C5A,SHA256=D913F2BA610E9CFBD3B56BC9AC1637C0F66202859954C04CC42BBFFC991768FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031788Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:43.384{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44639-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031787Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:45.046{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D4BE53E5CE72F282E99C1EC168AA4E,SHA256=83AF4AF7DB35ECEB0E10295998AC7647304F717398DC76A46DCB53B00BC8D926,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060839Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:44.118{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060838Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:45.528{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33B1F344A3710D86CF939F4F7B6FBD5,SHA256=7E8BD3052677954837C2C830A46518CD41566695CF161566BC13339789BF402F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060841Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:46.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D93E607D9A2656C270ED4F1060DF4C,SHA256=9CFC4659526AF35D03D846E1EA7E5AAA68015C2BF1EEFD551F3DD2A4935C53BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031792Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:44.829{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45653-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031791Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:44.276{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45146-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031790Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:46.093{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD4C31398CD64C6E8759E0E0C40F637,SHA256=61C804F504E5F03D641C24E0C013FD81E0BD2609079D5630BC1C02BBE25822B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031789Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:46.061{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD862E54CE6EB69727BA6059F607B7C0,SHA256=4AB35E0D449779FBCC69B88CB63E5C3961335DEB8A51459E5BCDE0B581257859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060842Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:47.762{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFB0601475488C0F1D6881DE3B7E151,SHA256=043B4849AE2EC39716688AF8FF85D96ECAB78F3BB6507D6333198A342C60E95E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031797Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:45.921{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47175-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031796Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:45.511{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46667-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031795Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:45.170{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46160-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031794Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.311{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F093F9FE49DE5C65D01D741E272F43F7,SHA256=68754ED3DADF0C9719A59443D9854029AA8B757499023821DEABFB05F1E40009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031793Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.124{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBA41F1B2E4E9002B7A16808EFCCB01,SHA256=38AD475481A7F1DFF8627816813896FF86F062FD671603659E7553CA967278EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060843Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:48.809{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420704FC5E1A9B20AA1736C317987E9D,SHA256=4F0B3A244D8704398FF44CFCDEA4DAC798D940DF475C28A47F1297A6EB006D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031801Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:48.389{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84E626392250B42EC771932FF18FECA0,SHA256=65A206DB12608BBE8E2F1FC8185C774130A424A9E4070E84D2C079B9FFD326A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031800Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:46.776{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48189-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031799Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:46.439{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47682-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031798Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:48.139{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06496A865426B11FD11F6608C5B4F1AE,SHA256=2826ECED32623C4076F0988D3434E5AFEDBFE6FD9C29A7A46D245FD140743CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060844Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:49.856{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31DE47057CA3C2B6A5356812068312B,SHA256=184B9EDCE90AAC76145AEB3B0E9BB79CE8B1A5C3AD9FFB2C8821B4D4B1E2A3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031808Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:49.421{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0874549B8F838667A6EB79C12696B61,SHA256=7FE95A39E22F087F927C8918E94BE1DDFE029FAC4A89264145E28D428DB2B2A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031807Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.985{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50223-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031806Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.743{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49716-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031805Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.503{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49203-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031804Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.159{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48696-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031803Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:47.034{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031802Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:49.202{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D37076EFD4F247476C1465EE5871641,SHA256=9A877855C72D4AE9F89A50739FB1D4FBF2B179733E3CFA459B801B933FF32DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060846Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:50.918{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECD22AF64FA16F5D23F60B31B582701,SHA256=D3DE5B3517D671511905728F07EBDB183875FDCD865E041A7D2B4B8D739B934A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031813Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:50.686{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=930B5E9FE2AABFB8C67BB0BE1C508365,SHA256=C0B52BB8B80BF576098FCF7215CD4E42D0FE6D00A386FE0580D9965B55907B0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031812Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:48.882{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51745-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031811Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:48.570{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51238-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031810Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:48.262{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50731-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031809Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:50.218{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373F2BE66E09D2BF95073812E19A8DE5,SHA256=FC67D2BDE4EF4EA45FA80BF650FE177EF82DC21DA87B29CD7AF6AB0678F116BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060845Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:49.133{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060847Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:51.981{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5D324F66677DCC1205C3B25D801160,SHA256=C1B04023A6890844405182A7462784E736AB966A16E1DA9393EEF43B7C77DE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031818Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:51.921{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7192917C9FBE08BB382F76B7459BC8,SHA256=AAF52CCCCFA5596546948381CF4C9ED83B11E5A43AEFE2D86000D89A68D6B9C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031817Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:49.870{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53266-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031816Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:49.663{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52759-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031815Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:49.192{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52252-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031814Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:51.280{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F5A8DB9ABBD89F45A229D34CA3E8F9,SHA256=47FEBEBA5B0BB133390247CD8138DC6109783CC39D3F7D5080ABCB8FF8D4119D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060848Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:52.981{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE68DF749C58752452A50880CA8C819,SHA256=FC3CA885F88D23BD8C0D85B8ED51D84887C933F27EE3F9ED1815762F6F64283D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031823Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:50.965{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55293-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031822Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:50.664{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54787-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031821Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:50.393{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54280-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031820Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:50.146{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53773-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031819Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:52.311{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7285E40FDA0A7D9BFE1C758E406D7F77,SHA256=5FF27FD3A61EA62F871FA790EF0008910A178722064B5A72899BFDFCDBCE4708,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031829Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:51.996{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57322-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031828Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:51.736{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56815-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031827Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:51.496{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56307-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031826Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:51.220{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55801-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031825Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:53.405{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EC5A7468E6E5280D63E9903B5B2B54,SHA256=8A49E1B721895A6E610C053A3B1C51497EB510207533B0E84039D780B273C7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031824Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:53.030{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3974D052DE5DD70588DA154226A6E069,SHA256=0B0F8C8079B9F85A3DC55142FBF113445E1175279DEF837DDC6D4456B125FEBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031836Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:53.171{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59351-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031835Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:52.863{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58843-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031834Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:52.847{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031833Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:52.485{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58336-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031832Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:52.242{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57829-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031831Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:54.452{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678B8B69B7AA3F377BB8CFC56576A7A3,SHA256=05D79A7DC5267EE55E71F9129037CBCB4838BA6960841EF687228D57D42E783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060849Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:54.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6583375B4ADBF2680120A1A49EC81978,SHA256=A130AE9C42F534A05197CEBF8ABFB4833D50C5EB003F41DEA7EEE08586933BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031830Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:54.186{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599ACFC7D7E7BDCDA262CA4E349A67EC,SHA256=06CD4B9C97376B2BB222F1CA0894EEE156A732FFE9D5104AFB1C5C3D7241F08A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031841Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:53.973{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1894-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031840Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:53.729{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1387-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031839Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:53.447{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59857-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031838Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:55.467{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE34B7682053C53FC5D8E42DEEFEEC9,SHA256=0BFC3BAE39DC96C096B44BAF3D967CDE3376691EC6B8F8308DCBE3B41D24FE42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060851Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:54.180{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060850Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:55.043{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5EB4EC4157679C75E2215C2FDF51FB,SHA256=847CF99DC0B154235BEA802B8E97C84AF8A00FF7C33554BE875846264626A0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031837Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:55.358{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2FE178C670F8AA02E25F565A7F6CDDC,SHA256=D57E375863B82E402FD0E4AEBCCD477C390E55DD92A2A5106784E332591ED4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031845Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:56.749{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE2B77BBF3A1009E8222798E1E8FF37,SHA256=07C67996C89E8C8732E6EC72AC8C5A1BBE47091BA6DDEDF7CFA3EC0DE1AF1FB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031844Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:54.798{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2908-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031843Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:54.342{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2401-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031842Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:56.546{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BB5F7B8DD407952671558F5CE4ABF3,SHA256=784E823D3194A1189D7BB05383A80D759198D2A5FFDE62E893AAFA33B4689C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060853Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:56.715{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6E9B83CFAFE095896AB66D6B98845C9,SHA256=48FDAD7590C594579AD679039881F7BB1AE6B8422E69279454AF25027C35F0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060852Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:56.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6CF82E1ACECF4A17CBC13916079463,SHA256=6D9424BD635630310ED7A58EBC7D8821FCB263FAA3596BF10C76188E7F0F2066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031849Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:57.780{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7A88B194E09DF82319B6B52A381B5A7,SHA256=4E73910ED9FEFCE31883A4E847ACDE1F2FAB0BC2B94AF7FB1DD63C54DBBB6B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031848Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:56.246{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3923-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031847Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:55.692{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3416-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031846Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:57.577{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309D1B3D61CC21F7AD9F615EC57DF078,SHA256=0153FB8167157174F7DBAF7F6A24503A33EF87DF2253DC0A74A6A1A0343A6863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060854Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:57.122{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF66C5C4304F0D69DAC37958BAA2AA1,SHA256=843B231F6233D88078896D827960A6F0026EBF15147B65066152C38EBA90E9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031854Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:58.889{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A7D96732C44F731E3FCF936FEFFA604,SHA256=12E67959E2EB8F024B709C23F28CFA38AF971E2B7658B9009730C01B7AB22A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031853Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:57.321{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5447-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031852Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:57.007{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4937-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031851Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:56.694{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4430-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031850Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:58.624{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F174D431F1CBEEC6B455F07C2A5FFB14,SHA256=D3809662D4B5B365DDF0DFC3EFD675966CAFF1E91FF28BB14BC71BDF4B6FF1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060855Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:58.247{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E2FAA7209704E6A4A81A6602752A66,SHA256=30C7B6AE0AF6A7811694E9AFB1748F8C01C5DFB5A869CDC39A73F70ADACC8A1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031858Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:58.314{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6460-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031857Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:57.893{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031856Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:57.700{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5952-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031855Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:59.639{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3EBAD4E443A2089AB4350A73411B91,SHA256=644EC2FF701C23B1C68AE1C9659CBD8517A5411548D67EA49D5ABFCB21D85F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060856Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:59.262{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371FA4FA22045E36C3A749B6B09AFCED,SHA256=7099BEB350755E17848E43C211EBDFB760A838B9D54817E946799C04D2A6D47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031860Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:00.655{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AAB9C44D4A10C05C65F2B0EAF1D609,SHA256=F00597107D73329141506378B490E72EEC0EB70B5ED991E662181EE428980978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060857Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:00.293{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DD954DB90C8F15B612B6873497718E,SHA256=8CAD7A1B0147E759061301D56F43A07E62F37885B5F0C3AF86F0160A2F8B80DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031859Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:00.014{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA63F81A6CD3B3298D0C09698C103B5A,SHA256=142B249E878DB04362F6CC60A00EBCD27AB1258C8DD2DF0F1E7945FBE6714C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031863Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:01.702{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8F3B0D84C136605173BEA082E60260,SHA256=21EE6CE0F36CD9E6DD954F0930E5793FCC37009E626ADD317C173D728DAEA0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060859Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:01.356{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98124EC2D1AE6920667D8239112B086C,SHA256=C37C473AEF9D6586EB9B2DFB5A07CF7ED99A4A29171EE66E853E4DDC58D64878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031862Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:01.108{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83C637953B28D04124F8D213C685503E,SHA256=FEA416B1544CC76B4EAC382E382B72F3504F629FFCDB14AAC5B59FA0F13799B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031861Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:59.003{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6967-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000060858Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:00:59.195{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031871Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:00.951{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10010-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031870Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:00.613{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9503-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031869Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.780{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C568ABAE1AE073D61FFA5BF0DA213C5,SHA256=64936E302D44B1AEA0F0CD0344AB7A7A8375050F9FAE546857635E162354C041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060860Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:02.371{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFBC3E07E1A0B17510231F0D09E7807,SHA256=1D7E63398D54BDA078D33B5920EF074001E3F44A6FE2DBA5D0A8ABA832308755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031868Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.358{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25DE6A64DFA244C109B8B3A9AB712819,SHA256=F660BB3DC918F35258319D7665945A86D2A554F866F7D1DABAC817D1456D796E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031867Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:00.333{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8995-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031866Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:00.066{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8488-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031865Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:59.854{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7981-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031864Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:00:59.512{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7474-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031878Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.573{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12545-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031877Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.297{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12038-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031876Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.054{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11531-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031875Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:01.610{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11024-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031874Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:01.271{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10517-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031873Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:03.811{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F1C0EB2A3ABE6056039539DE4D7EC8,SHA256=F53D0FE963EA1292CC8ECE1ABE42987B967D61B8D7129CE119C0AAB4B7EEE094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060861Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:03.387{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D2B88B476703435AA6EA180BC90269,SHA256=C0588D2A59FF275F2119F66AE5BA47A63824E8D323682342BFB1F3AEDC758373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031872Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:03.483{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C44FD0868A77581D3D86504564B4A2,SHA256=5979F4D21AC841FF5459C67D1FD802809CA3F5A3AADD93025684404263A2F6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031880Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:04.827{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCF0C3480FF7EE320AD08CDE4706E71,SHA256=B6C0FD7F3CC6270D7677A3E1DBDF83B62ED5997661916BA052EC1CF7895B7BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060862Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:04.481{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2092215A495F91BF1D6ECBA492DF397F,SHA256=9EA12495DB02CC8D56ABB30CE8C4941F9CE6B64EAEA7405ECB4E75191F4B4123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031879Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:04.655{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70B2EE97A0AA45DC46273A7CC40F606,SHA256=03830FB9C79E4BDC2FF3D443C6CE569D73B47CEE6AAE5265596765F5FC2BDDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031884Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:05.834{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F8B762EC50395A96331DBA20E6E97A,SHA256=18847C3F6A7DFC78AC390AE25AA8D0743D8C5CEB63F1DE37E04BC932AF5C4668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060863Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:05.559{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD8B10FA7CB3ED370C486ED1FE8AC87,SHA256=06DB3C317EDC546F827C4242EBB63D258FCBDCAB38A9F004D63810C3F50348AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031883Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:03.125{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13559-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031882Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.924{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031881Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:02.850{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13052-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031888Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:06.842{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA70D6C4AF99D4A0DE148A9372E547,SHA256=3D43B37E1B581E70C1F30064E7C7C500A5E5D6DF816D989B5CAE84073210302D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060864Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:06.575{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B170D437791DF34B327A73D70FFAB779,SHA256=1FF9D72360A3D4CF8544EFDDF4EC3206D08A1D8826FF8822737ABF1696647761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031887Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:06.655{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F42ECD6B349C206A239B7C546E54ABB,SHA256=7EE71655DD00C36F6493C03E4F3CF641484F9460C4B508E0902EDDA84F1164DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031886Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:04.121{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14573-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031885Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:03.461{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14066-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031893Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:07.920{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F53D9E0B5D3DBB4B784411B7E6EBA27A,SHA256=1D25FD273675388D2957155DCDD5D0B35E174CEB4357ABBCF73A3494A00D09C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031892Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:07.858{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8173DDFC6A75752C685DF4E1B89191,SHA256=E53515E2DB29F8DEB5A09C3A5B1D01E03488E32C345E61E42D5C006364BDB8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060866Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:07.621{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3998327096BF74BB5A9E05241530BAC6,SHA256=F1A27D47F04BB59CD81773E4E679C105FA6CAD45DBC9B696AFF736189365E778,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031891Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:05.772{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16097-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031890Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:05.424{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15587-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031889Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:04.842{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15080-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000060865Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:05.226{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031897Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:08.967{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DAB85BF7CE3C96AA6927E982F8DFB29,SHA256=FEA1EEC651DC80A160EBA42DFBF64190E6E04048C397770B390F8843759AF98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031896Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:08.873{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A6324949E39F254CC25E24CBD64319,SHA256=8A51326B5971368D5669B0369D110191E70A30F5C506E28E8707E1E6C1C4690D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060867Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:08.637{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F64D1654744436807AABAA2957D0E8,SHA256=3488CF6B6C390467EC054E0E75F919632AF1DEBA22A82D35EBEBC6E3B2B5E5A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031895Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:06.777{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17111-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031894Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:06.219{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16604-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031899Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:09.873{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB075146B732DF61989BC311DFBC3CAC,SHA256=EA8AC3A9A4B9B844AF91266C1CB4FDAC9829D560487CD960BC97823DE4E7E7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060868Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:09.684{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C34557455C5C270B8755DD62EC572B4,SHA256=8E6685A0B0021556B6C794ED989D575F421A9B67E93EAB612CA1147018735C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031898Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:07.395{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17619-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031906Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:10.889{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0C2B5465930B47A9C2D0E29808AEED,SHA256=7CDDFCA970769F783DAE1F0161648151010000E3323F839386AB8CCC4CCB58E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060869Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:10.715{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C685309F2BA33A0336D8AF08BE02ED13,SHA256=10C755B071D961FF7DC12A2EE5B5B39FE832237DF24B363FFF73C5653CEBE887,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031905Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:08.781{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19647-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031904Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:08.601{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19141-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031903Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:08.324{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18633-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031902Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:07.994{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18126-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031901Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:07.955{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51665-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031900Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:10.092{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C9902DA9D364EB80659F95197F07298,SHA256=CC5214221832DB43D7FBE1A861B3C1C4DCC3B5EFB9273EE120B1036F24BEDC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031922Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.905{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7900CCBB8B0DF7BA0B2A09947D937B54,SHA256=D4C571F5A3AB4AFE1CF25D479281648EA056E7533FFDDA8FD67280965FA6AD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060870Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:11.793{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940C80D5BFA747980B3D79894D33287F,SHA256=554B43492D71C2271A59CCF560A5D72E8DAE26D2B3F0DC872274675939F4C58D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031921Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CE7-6092-FB04-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031920Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031919Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031918Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031917Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031916Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031915Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031914Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031913Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031912Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031911Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CE7-6092-FB04-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031910Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.576{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CE7-6092-FB04-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031909Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.578{04D9AEC0-6CE7-6092-FB04-00000000BC01}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031908Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:09.017{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20154-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031907Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.311{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E7B707317F68C09009ECD6181DA640A,SHA256=F211C6DE9D8A0324AAC5CB51C576635E3AAA734F04F211995C08E8367C4A1DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060872Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:12.825{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53371B8F9EEFFD04DDBEAE411CFD0938,SHA256=60CADCEDFF63A7FB97F531EB990DE11C27E3CAFEE90A6541FE1611242BADB586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031956Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA1B39395AB5D8084975CA3071F9DF4,SHA256=61F88D45C01DA0449C2C417DC79A5A6CF3308B969FB1A7A717152E627BD0B18C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031955Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CE8-6092-FD04-00000000BC01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031954Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031953Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031952Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031951Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031950Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031949Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031948Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031947Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031946Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031945Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6CE8-6092-FD04-00000000BC01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031944Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.920{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CE8-6092-FD04-00000000BC01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031943Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.921{04D9AEC0-6CE8-6092-FD04-00000000BC01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031942Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:10.597{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23195-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031941Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:10.289{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22689-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031940Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:10.013{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22182-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031939Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:09.771{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21675-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031938Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:09.533{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21168-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031937Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:09.293{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20661-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000031936Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.451{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14435AD4CA00BF1325884F5DE8AFD9F9,SHA256=79FABCBBACABCF99D2EF85EF48D56166DBE3586D92A6B99BD76677DED649EB9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031935Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CE8-6092-FC04-00000000BC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031934Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031933Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031932Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031931Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031930Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031929Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031928Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031927Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031926Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031925Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CE8-6092-FC04-00000000BC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031924Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.248{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CE8-6092-FC04-00000000BC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031923Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.249{04D9AEC0-6CE8-6092-FC04-00000000BC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000060871Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:11.023{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060873Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:13.840{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9FA1ED9C216AE509CF7594F206257F,SHA256=20AFB249DE52EF076D9D9BFF1DDB2B72FD6627A9F3050887394459E69CA6E6B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031978Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.983{04D9AEC0-6CE9-6092-FE04-00000000BC01}8883880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031977Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.983{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8C344080B95B0D2EE53A5F8038B250,SHA256=D2F72958964A3DD7C6A4595086FD1CB34C197B709D8674B908A28D465DE917CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031976Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CE9-6092-FE04-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031975Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031974Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031973Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031972Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031971Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031970Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031969Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031968Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031967Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031966Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6CE9-6092-FE04-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031965Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.842{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CE9-6092-FE04-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031964Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.843{04D9AEC0-6CE9-6092-FE04-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031963Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.655{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A4B9A21736565A891277B25EC4B5BB,SHA256=32769518DBE1927F28D828537DF27451FA676E512680E091D1561AA13E5200E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031962Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.002{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25727-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031961Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.797{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25221-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031960Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.419{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24715-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031959Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:11.155{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24209-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031958Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:10.912{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23703-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000031957Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.061{04D9AEC0-6CE8-6092-FD04-00000000BC01}40162972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060874Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:14.871{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840AB61C91C22BB5DF3486C0BE690B9C,SHA256=3FB26D09FB3E99AA4F20054A9BA3FB8B6526E3996EB995B284DD014509AF3AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031984Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.764{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E18ED115A869AE4A5DC2167F09297E9E,SHA256=52968528B27144AFB5DAA26153160C6B6D24920C7079AA6E5B5DA785E9A9AC1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031983Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.980{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27751-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031982Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.971{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031981Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.671{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27245-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031980Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.462{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26739-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000031979Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:12.215{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26233-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000060875Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:15.903{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1943356F1DD9A9BABA6FFDCB2F3254BD,SHA256=4DFE66A9F3D1735A6C1332957B4308AAAD0BCB29FC4E4406F4B21F275F9A9E62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.936{04D9AEC0-6CEB-6092-0005-00000000BC01}8282988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.920{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63D2A5324CF46388D05525451AC2174F,SHA256=62C8915EDE52B46078C1CB823CCAE65C4D56940879FB90DF92AAB13B4EC54B21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CEB-6092-0005-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032014Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032013Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032012Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032011Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032010Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032009Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032008Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032007Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032006Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6CEB-6092-0005-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032005Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.795{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CEB-6092-0005-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032004Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.796{04D9AEC0-6CEB-6092-0005-00000000BC01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032003Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.075{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29775-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032002Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.791{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29269-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032001Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.537{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28763-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032000Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:13.266{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28257-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000031999Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CEB-6092-FF04-00000000BC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031998Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031997Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031996Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031995Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031994Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031993Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031992Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031991Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031990Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031989Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CEB-6092-FF04-00000000BC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031988Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.123{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CEB-6092-FF04-00000000BC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031987Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.125{04D9AEC0-6CEB-6092-FF04-00000000BC01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031986Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.014{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031985Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.998{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53513871DE26FC7C0DFD45C56B5A10FF,SHA256=680D387EDDAC6EC5A17F9E94070666A61AB68E9F724F358618DAFA756D007847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060883Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.950{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D6A9BFE212D1FF36B86ACE3B8DE960,SHA256=4A9944221C393F42BA69F708F0EB872578B3A076C83670F2C5E1B1E1F8153C8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.020{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31799-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.806{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31293-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.783{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000032035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.558{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30787-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:14.322{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30281-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000032033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.608{04D9AEC0-6CEC-6092-0105-00000000BC01}1092824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6CEC-6092-0105-00000000BC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6CEC-6092-0105-00000000BC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.467{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6CEC-6092-0105-00000000BC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.468{04D9AEC0-6CEC-6092-0105-00000000BC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.264{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D03D64718AD45FA7C47B4D2D42635E,SHA256=011437F5E3D22872AA49818E60C29164B8ADC448F0C0C029546578FD4EFAA3C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060882Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085216C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060881Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085216C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060880Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085216C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060879Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060878Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060877Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060876Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:16.684{B13AE1A5-4D0F-6092-F804-00000000BA01}44085192C:\Windows\Explorer.EXE{B13AE1A5-66F5-6092-3908-00000000BA01}6208C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060884Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:17.950{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5783797CDB75F216DFE75A68762200,SHA256=86913CC0E316B7238956D3C8A75E0252730BD387C11AD6DAEFF85E55A6618C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.098{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33823-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.819{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33317-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.572{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32811-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:15.300{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32305-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:17.405{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBA090AFAC6692C53C92F02FB2153BB,SHA256=ACCD0891549796DCD7498F69252EDC184E9F121E32E2CBC3A5FD2852FDD7FB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:17.061{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F1A4BEA75BFE5EE8F1AA32256C1978,SHA256=26C920BB05FA6A33F0A05B23948FCAAB1EC08224F1C393F2775C4D6CDC6F5C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060886Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:18.996{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B33218FC7AC2EA8FEC35B4C205E8D3,SHA256=81761C3C6F6B2C1FC158BB5557D96A27A3B38AF8C8CF9277C9411B5095A028C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.569{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34835-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.349{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34330-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.420{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8DDCEE0710DD79E4CA074006CE0A0C,SHA256=DEC39CAA9444A240A22EC432C5E9871C40DE1544F06C8E2B7B8336D45484455A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060885Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:17.054{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.280{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECDCEB25B562A4FA1AF29BF1E6708618,SHA256=D41C46208FF17FE04B15CA973A878F96D7B7FD9BE4F52FE11DD8E9AF9FCAA057,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.228{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38377-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.021{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37871-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:17.812{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37365-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:17.493{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36859-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:17.238{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36353-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:17.013{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35848-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:16.786{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35341-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.483{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB68097CE1FD16EFE9A121DFE32546,SHA256=39272CB4D5CADB0E2F7DD5328C49EBA191E37626B504955FA94F293372329227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.358{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3008B05A03C8FAD0DC39B344F3E7D8B,SHA256=B85389692CA9C6240C900D7E88B52BAF30E6784433BBEC1CFC86B7FEDB0DB501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.221{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40401-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.002{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51668-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.947{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39895-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.665{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39389-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:18.452{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38883-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:20.498{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BF82ABCA0347EE90E98D1C38FC4547,SHA256=4B5F4139E114A0DEAC773B8CAC33625A62C292C06D872E012B8A1FD394CB6216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060887Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:20.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13CF7A40DF939CB70624C85E17626FF,SHA256=62AFC2BB8157C903F40148E2E27858AC4D0D67D41C3536BC3C90131FD14C5CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:20.420{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADBCCDFBAB504438D1D84E913073F1F6,SHA256=245498ED9C2595E9EB453F41FD92958BB4CCE96D154F4E43BF9D5EF1F78C9505,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:20.177{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42425-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.971{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41919-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.660{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41413-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:19.454{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40907-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:21.608{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04F072465F832E2C59A03C5DF61D6318,SHA256=BDA00C34633C30A4EF2DE61D75A72B9E9FB4D88DADBFC7FD6782481E0D5E05C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:21.514{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7476019102BCC706C97590599ACEFB22,SHA256=7EBB20C6083D499A42E28EF9A6ED9EF5EAF7A41975E221960CE59D1D4C0BFB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060888Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:21.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD618BF073A9FC9F5823217FE9AC514,SHA256=7434F914CBA76B4A0973F05741F4151C48667B4053E1ED538ED22F33DC322610,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:21.206{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44449-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:20.936{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43943-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:20.698{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43437-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:20.422{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42931-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:22.717{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E589F2935985ECB7DF83FDCFDDA7761D,SHA256=B433FFA93985E8A0B16DDFF2FE26F26BFBA33D31616E6ED1D867559F91EE67EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:22.561{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE01D3BD9FDAB659DD5E3B9ADF0C911,SHA256=B7731DF3AC5E08E20902C6933CA3A7533253F148F54C8C28A99D6E8C3FB8A6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060889Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:22.106{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B2D9599424B1F4BD2E53AA1108FCBA,SHA256=493401461D0797F1C2A02CAC3C1A9D0E5F7A6FB147595FAF64BB6181B21B4986,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:22.304{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46470-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:21.953{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45964-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:21.700{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45459-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:21.458{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44954-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:23.670{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910828B82E6005A34CC608D046864694,SHA256=7615ECD6445CCE2EDCD2B23716ABB2D7794DEB0C3B04E6FB49BB2C7B7C12D83C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060892Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:22.085{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060891Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:23.590{B13AE1A5-471A-6092-0D00-00000000BA01}10042988C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1600-00000000BA01}1572C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060890Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:23.153{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763902C1621B3B932B25604C9BD329F6,SHA256=7869312594E8721A8DE218C709D4F4722CD35C7FC1741D14B1C3220B726E631E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032085Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:22.789{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47480-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032084Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:22.517{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46974-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:24.717{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772309EA23F092E2159E765AA573B90D,SHA256=121CDB848094295F63DA3D9970F0D3690ED6187701E10DB71C43DBEF56771636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:24.045{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5286BB03594FC1EC3229C5F5B14955,SHA256=0144B876F1FCDCA675231A1E8630E71F4A2279B239CEE339CFA4AD8A4969F787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060893Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:24.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD2E65BEC339231218D4D539BDB1646,SHA256=7118F27C2D4BD130089E63ECB924B5C190B27D47D57E5714466BE07C8EBAF7FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032091Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:24.017{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032090Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:24.007{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48995-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032089Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:23.520{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48490-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032088Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:23.205{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47985-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032087Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:25.748{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AE3FE952345DFF72CFA9A07960C292,SHA256=D4F245CC35968E7E33E5BAE954D4D05F94C21509EC4ACDEC3307A92C0A4BFBDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060895Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:25.262{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060894Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:25.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B78AE3426FBCCBD27DF66922645E539,SHA256=250732771AD0A04EA8D1A332D8FEAA2DE881BAF2C3737221759105A1D999AC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032086Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:25.201{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7E4E5035805726EE6E1A91E790DDBE6,SHA256=A6A0E95569F0854BF7956C89BE8842E6855901666A4153BADE9B24A947401550,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032100Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:25.485{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50517-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032099Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:25.002{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50012-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032098Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:24.590{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49500-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032097Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.842{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B81C016ED11D0DD0C9C4BAEED2ADE4,SHA256=6AD7ACF0BF168E8F3C74CDE653DBF22F535B5110D71A1CC50674E6C50BA669A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060899Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:26.918{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D132761D9451FBE4F90ABDF20873285,SHA256=B49E29AB4B820D6DD8701A48DC2C4B0B19AD608C1631B4EB28CC42E6210B7A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060898Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:26.918{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A64BDC80AD173124AECC950B489AAC0B,SHA256=1D02548D769689A9364604984D3CAE86B3C39D39B5D374204D855FAF86FF9DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060897Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:25.210{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000060896Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:26.309{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57EFB0DF3F0CEA082EC60A9FF780A60,SHA256=4C3CDF5445CC10A91CDC16505DCB49F797E3A9AF14D4EFB2A92370519808ACDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032096Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.607{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30E60DC145B7E2A84216BC69F6CD4C1E,SHA256=0152DEA415BD15BFEE401BDC2743D78272F0E3C9922639E86776719D46BA1D02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032095Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032094Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032093Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.576{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4953-6092-1500-00000000BC01}1404C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032092Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.108{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D7C80A48EC65D6ECB9DAD8A92949B34,SHA256=8E1962D65B9A3F73BFE2D675CDD1E28497D81518627F602D76D5BDC21FEB17D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032102Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:27.920{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C0FF59A45A9351941860DEADED17F1C,SHA256=D11181C22356139A2B9CF970B4ABB45927F8201C3B456A06C963AA30CDE1D665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032101Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:27.920{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA36EC3C3F2B3DC486C1C748D24DF28,SHA256=EE24AC87B7DDEE2F30622E4D5AF3E5520F6B7823A6BC1793552F8ED6228BE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060900Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:27.325{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F443566E243B1AC7424852BC4B2A78EA,SHA256=E0831507C7E2302FAD9AFC6BF3C50E4AF0697397249D66FEAA3043A61BD5AC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032106Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:28.951{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4B7E4016EB54C53FCB8EF0570B9601,SHA256=E7B6C038C922D75085C1F46965A243B9AE617692E33AA1B55EDFFF4FC2AC6129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032105Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:28.951{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24CA29D362862A56D016722D05B75CC8,SHA256=5CC41FF5A4920AB7DAB9AED9C7121766DFE6AD95645B1D0F5C30079C888CE573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060903Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:28.340{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EA258C022CABFB2CD47475171BD5D1,SHA256=62DB25DDF0D3879553A0348598E2C45340FBFFABEA70BB48E7BA15BDF428FF48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032104Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.415{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51527-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032103Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:25.896{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51022-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000060902Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:25.851{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54169-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000060901Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:25.851{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54169-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000060905Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:29.356{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F5530D4EABADD7078EB243FB8D44F5,SHA256=EEDA0A0BA7F66B3B576EF26ECC5D20BB15223C9120DFAA2DC2EBBE51FD05F773,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032108Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:27.276{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52535-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032107Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:26.968{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52031-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000060904Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:27.085{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060906Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:30.465{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B5E99581D8F44263070FAD277CBB2A,SHA256=5A38E1CF4991818603CEF48A281038328ECD6BE598F1AFC466F7C2FEE26073D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032113Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:30.326{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F1E70F15924CB70D74938D8CDE4209D,SHA256=277E4CAB7301393BC4A2B72ECDFE2B09F8086B0BB1365B97F6D9AEC7FFE6EBA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032112Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:28.440{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54047-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032111Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:27.854{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53543-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032110Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:27.552{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53039-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032109Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:30.045{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75B3A7698A69E3BDEC5240047A9BD62,SHA256=E2C716FB3C41C3B4ED1CCED9CB856CC14063909701CDCB75CBE7E420CEE1503B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060907Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:31.512{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79306DC78C6EDCB903DA4C9C98583D1C,SHA256=EE43A370DCFD48BF7FB2B234743B7AB4CB74234DAEE457A4BAECA3F9A6192FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032118Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:31.514{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9A9C9D0AAB32443492C324000FD0B0,SHA256=84043F33C204A042F1C66FB6EBDAC60F2220AEA6CFBC0208468523A3BD2EFC62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032117Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:29.404{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55559-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032116Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:29.059{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55055-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032115Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:28.721{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54551-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032114Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:31.092{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9554DAE834294397B464AB906F5CF15,SHA256=D25A902B788DCF625E5EEF09F83070D885B19FA7D37CC8975DAEA1F4078D221D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060908Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:32.575{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349A1C7746CEE36315B0692335C20A79,SHA256=6C3B134A4883B54295FD52A6D17BC5942C61937651C6CD50DB7F6C47D78688CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032124Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:32.982{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=789CA1B92B2BD4732B4600A3DA6CA5C6,SHA256=18F440294D3F3708F2FD8B350C6D1D2CF6EBC49A8831C6D4E28F1A0C75FB7DE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032123Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:30.546{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57071-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032122Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:30.197{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56567-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032121Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:29.861{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032120Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:29.784{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56063-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032119Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:32.139{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A990AFCCD73DC0FD1CA0AA6122816B0,SHA256=BF949B26071BB51442F90111B43BE33911F347377989A6347A3D0EC3BB221716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060909Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:33.637{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19D2729248A3FD4F94D33396C2A71F4,SHA256=7C56A4F63429EFFE683A224A42271E1C46AF69EFC2E0B30C45786A68C928EDF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032127Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:31.554{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58079-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032126Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:31.209{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57575-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032125Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:33.154{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF80713388407B809D537764D0FBB59D,SHA256=849AC47ABA4F057ED77A46806BAD1F142C1582884B354EFD1203D02CDD587D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060910Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:34.684{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7193444F18F904A60C64B0FBA6EBAFC,SHA256=838FB54E513D859B3F638D4DDF76A5A8F6ED16431359B336B5ACAEBFD25D2A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032132Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:34.560{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA42E05C031CDBAE6E5D504D369359FF,SHA256=A458ECE5B03323D01815E5D226D94A13A4FEED1D843194DF8974C9171A76859A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032131Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:32.481{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59591-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032130Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:32.040{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59087-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032129Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:31.797{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58583-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032128Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:34.248{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54017E836E5B8CF33F99C394AEC8541,SHA256=225EE6020690F35C44E72F11AF11F207BFA08A8624EDCB6C538BC593A4070186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060912Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:35.684{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F12C7D9055B38927534D76107CB7F6,SHA256=5C722C26B45C19C336A7B99EAEE1DCDA2174FF78DA0E7E75978754810E97F57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032135Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:35.639{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB782FFE8313E04D924BBF01424A6119,SHA256=DFC413B2E8BD615481C2A2E73FB8AE91E5F93873EE77FF958F002F33389140F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032134Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:33.375{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1118-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032133Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:35.264{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0551F72BB71223C268BCAD5DE63A8C,SHA256=97C91CA3573F0412B16A220478E73303467B6D1152A027AFEB75CAD5045C66D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060911Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:33.101{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060913Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:36.778{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC505692E2912487ADD877A05DC60EB8,SHA256=C1806FF5BCAFD923C1DEA26DBEC795D52E0DA3D9D2C1D26C76244E08D12E4A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032140Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:36.670{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C10CE4576177B7C4D057DF37B5A33D35,SHA256=BCD727DBFB17110D158C422E14A933C609F0215E8522CEEDD12D2C6FC3071F5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032139Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:34.923{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51671-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032138Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:34.752{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2126-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032137Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:34.198{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1622-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032136Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:36.264{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8567DF9ACA6A2CA5EC4299F6319494,SHA256=96F6EC1ED34E167D889316BC3A3315937968EED9AA232EDD0994F6CC5C2B3E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060914Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:37.793{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C988734D9CFED8633FD936540D84FC,SHA256=51C5FFBCC68BDDF68F31C600F353FC17CE4C69400DBF6A8B6C66EAEC2020F505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032145Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:37.826{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95323D3432C094B5AC65EB7FEEFE1B31,SHA256=E4775775571A3BD4262D566DA4F445B6E86F339EF6ACD3770304A0BB577EE676,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032144Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:36.018{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3639-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032143Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:35.568{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3134-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032142Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:35.230{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2630-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032141Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:37.279{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D32AD12B68C8DE4AFD756ED2CB7A52,SHA256=AAE55B639928AE9D56E9DC62C287CD6223E0AA30AC3A254DE541F346DD8DE854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060915Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:38.824{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F645B1906C480D79B58421BDC38A74,SHA256=719F855CD0DFB03DA88D8A437CEBF27BF3D08DED1ADAC32E85E41DBD1105E042,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032149Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:37.157{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5148-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032148Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:36.911{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4645-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032147Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:36.501{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4142-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032146Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:38.295{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DF814DBF03CC8D133C9D06E8EF2EC7,SHA256=101FAC5AF3A97E073CD5478C14BE0C6C232463CD28B7B0B8CA14437333B1F4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060932Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D03-6092-7409-00000000BA01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060931Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060930Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060929Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060928Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060927Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6D03-6092-7409-00000000BA01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060926Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D03-6092-7409-00000000BA01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060925Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.981{B13AE1A5-6D03-6092-7409-00000000BA01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060924Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.840{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83EAB756DE94FC165F19DA4CA1BF82,SHA256=0A6BD32120D82EB5D54EC953E47CD64FE2E06EE202FBF92E8B2AD20FBD7CB70E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032153Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:37.774{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6155-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032152Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:37.400{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5652-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032151Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:39.342{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F1CB49B1E638C956C9CA5E2C97C167,SHA256=2E5D513A88594842B3EA472B4896413B8611B8A732246FB84F5AB0E6D06F57F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060923Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D03-6092-7309-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060922Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060921Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060920Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060919Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060918Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6D03-6092-7309-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060917Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.106{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D03-6092-7309-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060916Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:39.107{B13AE1A5-6D03-6092-7309-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032150Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:38.998{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC3E6D1BEC316AD60FD3EC420D0A15E1,SHA256=3E97735A1FA0CC4D6024EB9CEF6FB66153DB7FB699FFED2A3EB14ABE0B91FD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060945Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.856{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFBFC66FDBEF7198A7CC5A7719DAD61,SHA256=69E34F346CDB5945C7A2D3549B0423F5E5E74EE6FDA0486F01F65CC00786A231,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032158Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:39.153{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7665-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032157Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:38.671{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7162-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032156Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:38.294{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6659-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032155Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:40.373{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669BABEF9DF0550736EFEC3D80A5D872,SHA256=CB8DDDF3EAF8FB5531A61F3122CA29C7AE57F9D464FC0121AFDBA173CA6C30A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060944Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D04-6092-7509-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060943Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060942Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060941Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060940Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060939Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6D04-6092-7509-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060938Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D04-6092-7509-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060937Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.653{B13AE1A5-6D04-6092-7509-00000000BA01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000060936Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:38.116{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000060935Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.121{B13AE1A5-6D03-6092-7409-00000000BA01}41203604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060934Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.121{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C227E6BF545C101A2DBFB20A67857D1,SHA256=28142FDD19EFE2EDF573A70F1F3E53390362601C435E111CA1C0DB8A658187C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060933Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:40.121{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D132761D9451FBE4F90ABDF20873285,SHA256=B49E29AB4B820D6DD8701A48DC2C4B0B19AD608C1631B4EB28CC42E6210B7A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032154Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:40.310{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=721CAA1ED9216143A9FADE87517524C4,SHA256=98153098BE40079F142B829E0757388EB0873A617A6559EE21CAA6F345366422,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060956Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.903{B13AE1A5-6D05-6092-7609-00000000BA01}62888024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060955Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.871{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF066B01B34B1D6F5CEE554DF605436,SHA256=7A081C5214150219AA2C9ED10945FEB57319B44A54753FFFDA530C86C8A9F632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032160Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:41.935{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1107B2A6C5A0CEFC7C91567091B38127,SHA256=FB4B06111849563B88EC010F84868A19DDCF00D48EAB97503D1A7B70D44D84FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032159Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:41.404{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDEC7DF1643CDFB2C6D0C7770C22ADF,SHA256=203E1AB5FE5CBF7BB01D6485ABA1EA2FDAEAF63B267C83D22BBBEF24A1EC8669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060954Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D05-6092-7609-00000000BA01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060953Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060952Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060951Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060950Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060949Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6D05-6092-7609-00000000BA01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060948Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.762{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D05-6092-7609-00000000BA01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060947Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.763{B13AE1A5-6D05-6092-7609-00000000BA01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060946Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:41.668{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C227E6BF545C101A2DBFB20A67857D1,SHA256=28142FDD19EFE2EDF573A70F1F3E53390362601C435E111CA1C0DB8A658187C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060967Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.871{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93E2CA3C0DBD14B737BA22ED3B37D0E,SHA256=6D1E5A9C90A174154D8AC23E1949A7E557B7349FBACCC03DC4E08712056BFE1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032166Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:41.084{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9678-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032165Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:40.709{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9175-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032164Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:40.364{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8671-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032163Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:39.954{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51672-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032162Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:39.843{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8168-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032161Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:42.467{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B4E0798C95855342EF7541A0FC94D4,SHA256=212FE10AE35779824106C311740657C89EB14E353C19AE5B40C9297B25C91F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060966Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.762{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A57022736450BBF1BD6777C55C4CF063,SHA256=2800ED33EC08CC07214B48C4265F0F0D06FEBCBB58AC270814A36C48CD4C1C7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060965Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.621{B13AE1A5-6D06-6092-7709-00000000BA01}53007764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060964Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D06-6092-7709-00000000BA01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060963Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060962Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060961Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060960Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060959Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6D06-6092-7709-00000000BA01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060958Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D06-6092-7709-00000000BA01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060957Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:42.481{B13AE1A5-6D06-6092-7709-00000000BA01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060977Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.887{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D72468D98335C6ED174B210E5A51EF9,SHA256=B5401AC3CD503AFB85A3D3B6F0A1DCF0982854D841A22AF5F6C3D127F298A3D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032170Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:42.154{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10684-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032169Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:41.631{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10181-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032168Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:43.513{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC91317F7AA9A1E4739B202CB9E4CF5D,SHA256=09EB285F5AB1F457354586B5B2B6212648422214421FE912703B1D40E845B018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060976Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.309{B13AE1A5-6D07-6092-7809-00000000BA01}53405428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060975Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D07-6092-7809-00000000BA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060974Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060973Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060972Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060971Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060970Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6D07-6092-7809-00000000BA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060969Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D07-6092-7809-00000000BA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060968Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:43.153{B13AE1A5-6D07-6092-7809-00000000BA01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032167Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:43.107{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAAC03B5FABD0F431040B18FA36A7258,SHA256=4719E17B62E1748AE70CAA7BC9C9D4294675DE5222B31BE549D5AA3D4CECA06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060987Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.903{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A09ED9F6724A618D3D722D15282C4F,SHA256=78F6622A3C0063144CC27AD44588DDF71FA259819E4E3ECE60CC9BB42F991275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032172Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:44.560{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEC53F24307AFAF7D1B0F7E12CC0E5B,SHA256=01D29A6B58F8BFF0C2C89600D896A52686598B10C7F22E83E2DBF18B93F5561C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060986Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D08-6092-7909-00000000BA01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060985Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060984Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060983Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060982Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060981Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6D08-6092-7909-00000000BA01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060980Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.371{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D08-6092-7909-00000000BA01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060979Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.373{B13AE1A5-6D08-6092-7909-00000000BA01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000060978Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.168{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26ADA4D6BFD7066CCD442C90C86E7E71,SHA256=CB3EAB20BD9014060C09DADE2AF932523535F0782DF89D666A152BAD2FB2026D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032171Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:44.232{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE15AE1D6F92CE3C4173B09F0C8DA188,SHA256=3C9C30E313C66D0DBF0DCF5F9D1319BC7F0A8ADDBEEA31BA43E4AB6C8F2E7332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060990Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:45.918{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEEF08C43AAB5DB625295CBD46F561C,SHA256=8B72F603DB5C44CEC80AB9A341DBB5F22E03E47575663E4AD4D43830316B0ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032180Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:44.046{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13698-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032179Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:43.768{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13196-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032178Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:43.525{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12694-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032177Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:43.284{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12192-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032176Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:42.943{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11690-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032175Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:42.528{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11187-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032174Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:45.576{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A925248960F333B1AE806E21ABF0A72E,SHA256=46F3F00677F90FBE46509A35F90FBB25D01E568EE4F4F27AC710EC4FFAD0D059,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060989Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:44.148{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060988Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:45.371{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=232E10718AC333079AB46F36C279C6B9,SHA256=214553A8567BEA411AD4383AD178E9FDCB49CF21D01E768214311B793DF9F523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032173Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:45.295{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BF5E217440D850350BFDD4C890D1BA9,SHA256=04659C3EB026DCE24A6605E51443F4211A304B1152DA4B801F2D17D3B179C0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060991Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:46.934{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA5C8C5FF6B4118A807E6998F37A741,SHA256=B70433FE5409B2CE6020FAF2A3FCCE1956F5DE4551A45A9C84E6CAB0020D7569,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032186Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:45.220{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15204-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032185Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:45.017{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032184Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:44.909{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14702-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032183Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:44.528{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14200-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032182Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:46.654{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06BC763F8D7BD10E673BA17742F513B,SHA256=FDB287909F611AE8D4C5BA1F6DAE5218D5AA5ED51E20492C29AAAB1B5A0F7518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032181Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:46.592{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4352E28A3374FE226A8017CA7B2CD674,SHA256=47B94B53EDF5ACBDBAFB58B8DB0EDD0B49FDB7496BD98C8A7243D26A57B1C9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060992Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:47.949{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE83080642495D4C7361565EAE21A1C,SHA256=36DF7D97AB798F0BBD2A08D207EFD31AF947C6E2EDA52344943BE6D9071BAA7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032191Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:46.427{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16713-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032190Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:46.015{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16211-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032189Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:45.528{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15706-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032188Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:47.888{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83E0ECE7BCD9C1AABE71059EC5941AD,SHA256=1BBD579A7C02BF4C83201F0E4FDDB8784D6E74C8E529F09890F5FC037546328A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032187Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:47.638{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F592C1A897DD0A3FEE61B8ACC6B5C0,SHA256=C41B1520B5942E9743E7AF60372395FACA8D68F5111C741E20B5C959D5032747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060993Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:48.949{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D702D34AC5B82124385E2758D994C3,SHA256=FBA74E73819F81A3196928F35FAF183F0393664915BEF414319F12046E888D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032192Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:48.685{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD5FB8F1ABBCBFAC25892383E467931,SHA256=785C5FBEBB139F52184347E9C6C0A9F530417F0E10AF42D633A43EC8A0C3C62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060994Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:49.965{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCD0DE19A3408701AE7F66A9837AB06,SHA256=7191A21FFACFD351F0736D8A5F80BA15F45A20063F80B2384104B0E3EFB1D53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032196Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:49.763{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EEF78A1A654E9C925A453346E4357C,SHA256=AFD4ED6C510F925FE1F5051D98AFFB4B4A8235738946A0C38F6C0130B3794458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032195Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:49.170{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6CC4DD8F6043C9AF2681DA2FEBD328,SHA256=E8E24DA08582A008E3A3E5B8297CEAA6943D7B99536D1F32B9EC7A1A1B6A7095,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032194Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:47.049{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17718-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032193Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:46.738{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17215-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000060995Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:50.981{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006C58F1EF3CD78F07AF324800313ADD,SHA256=EE0B7F98306C7035BC592CDA43F8E17337FBC31FF10FBBE8BEC9C36A860C1925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032202Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.795{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21414390113C04DAF9029816535F90F3,SHA256=09361DFBA627A70FA6C57B1C60D8D00EB3D29BA817D7A94907845A929E571450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032201Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.279{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD8C973F8D0FD79C251D38207D5F30A2,SHA256=6E080D193D123C7EE550BAE6ACD30C08ACBD8B3C446AC311AFC18310E3DDDB56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032200Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:48.407{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19726-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032199Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:48.089{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19224-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032198Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:47.766{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18722-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032197Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:47.356{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18220-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000060997Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:51.996{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C13846783B5CBD807D41D13A1C7ECE7,SHA256=E0BEDC47F104BF47158C08BD5DDBE1AFD11E67D8A6F9DC72AE42D3A8C3BD97EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032208Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:51.826{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682F11DED2AABBB732CE132BAAEED5C1,SHA256=2A61720D0A2F5034BA315474B726F4B976261A1A371CD5380D2DF933E597E849,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060996Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:50.179{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032207Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:51.373{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E1913209A072C241D2D6457F90566A,SHA256=6AB017EBCBF4DC18F050091AC101F5B9F0FA486110F2682011A4F21BD6356833,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032206Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:49.430{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21734-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032205Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:49.193{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21232-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032204Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:48.953{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20730-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032203Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:48.707{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20228-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032216Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:52.857{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9F9731886AE46BFCBC08A7250177BC,SHA256=DB52E4EBFDB3C62FE1AA38E5127F0276CE19EE8ADC7F7521B993890707182918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032215Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:52.623{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB47DA862B41F1C1635C7BC3EF81926A,SHA256=14759E9D973F987E687E414014824027FA8994C34E61417B31E30B54C80443DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032214Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.665{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24244-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032213Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.348{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23742-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032212Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.128{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23240-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032211Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.048{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51674-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032210Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:49.890{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22738-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032209Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:49.663{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22236-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032221Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:53.888{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A432358BBD5BF3111748241FCA9968E,SHA256=7E98BB8EC43C94C6C6715249F15FA1F5A25DF729F63FB65E1CEFE4ABEB4869E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060998Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:53.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3F0E40CD3B2DBFCEA5F62706160029,SHA256=B5AE9EE2CBF7309580058D041D7554070C22F6FE37E29B61CA89DB9D9B15D46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032220Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:53.716{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0FDD2244617520B88D00E763039FCFD,SHA256=7B68877AC3DBCA11D6B35A5528FE8F608F31AF8E862EEC7E20C8F9377647503B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032219Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:51.497{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25750-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032218Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:51.113{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25248-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032217Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:50.871{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24746-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032227Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:54.904{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF47B4B9A3EE453CFD6676BDEE2578,SHA256=839FF7449C489B87399A6AC7F3EE531FA1B967479C5114B0A3BE5FBDF9296019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060999Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:54.028{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A7E9ADAA0FB8313F00F0BE0BAEA4CA,SHA256=27B589FED14B117D7C16C80947D00D2255230A548BB7C8D5C15E3FCAB6531CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032226Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:54.748{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4344320AD573920041FD436E79535E03,SHA256=7F3CAC19D813419C61AE2FCCFF03DD1419372767FB944D5F18D1EE6528B71C89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032225Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:52.671{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27758-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032224Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:52.391{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27256-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032223Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:52.084{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26754-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032222Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:51.737{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26252-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032232Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:55.982{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF829A02C28C1216FF548F21F47CDDE9,SHA256=D6DA6075D660F3B8E16FA350649A49394274F15C360580AE07B0F2008365EDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032231Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:55.966{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB34BAC66A830D16FACA160DC7BDABE3,SHA256=6D60CE52BB28FC622BD65B10FBCF044318EAAE0019F59854132D699C4F4DA800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061000Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:55.043{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323C1E8790BBA6AFA6B6898EB6B59690,SHA256=46A8B2A41E18FA182A2E21CB65EC2E0F09054C98CE2F1B4C7C0C3117B2DB9588,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032230Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:53.617{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29264-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032229Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:53.338{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28762-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032228Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:53.027{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28260-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061002Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:56.731{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DF5E77167276DDF58541250F68A3DCC9,SHA256=2AFC07D6E193AF88859B99C190A3DDE50FC7BAD465678D14BA67CABCBED98C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061001Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:56.043{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99285A07E852D778989F3DFC949F87CA,SHA256=76AA9009CB6BD4F9C14ED94D6934213F198C867194A3F0D9090A6CB81BE04B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032236Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:54.682{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31272-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032235Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:54.358{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30770-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032234Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:54.133{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30268-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032233Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:53.863{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29766-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000061004Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:55.194{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061003Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:57.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A80EAF1D9BCB31BCCA2BB84BCDBBEA,SHA256=0956E6BF74D93E40ECF173E697F2E38BCFAAB6EE16EFE60047D64661690FFDFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032242Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:55.813{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032241Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:55.720{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32778-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032240Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:55.303{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32276-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032239Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:54.923{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31774-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032238Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:57.294{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9836EAE99187E477A911A9A4CA31157A,SHA256=743841DB336465B363EB248005C17EA65C797FFDF206CC67ABB68BC16CE19B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032237Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:57.013{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D195E27371F44416B832CA13E14BA3C4,SHA256=23E9CFADF28F254C0802F32BFC52FCC24C0F9B6A02C246FD21C5D1D384C9EC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032246Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:58.654{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82891BE3809D22505F7EFAB0DDAE4C22,SHA256=001FC3081FF34E8AA844BFA11119CA70CA6B2D25B8C3AFF76120FA0D04ADC31E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032245Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:56.607{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33782-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032244Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:56.164{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33280-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032243Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:58.029{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C0C3A3E095858F3C89A565A82D5D56,SHA256=5663CE608773637BC4F376C8D91B5EA996728AB5F2BCB1211CA728C9F8F4A6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061005Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:58.074{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD42C195E8A5227EBB91D444AC6DA03D,SHA256=D935F4DEDE017F9E865DCBFFABBF6DC2A6A0AC06041200CF9A9CF5EF57C18425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032251Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:59.982{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2D06AA569F1A6B8227C8A9F75DF1ABF,SHA256=AA5E74259BA0B0613DFAFAD5F1F8A410E8666E4EB9D75DCCF0075C1A96594654,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032250Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:57.861{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35288-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032249Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:57.374{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34786-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032248Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:56.926{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34284-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032247Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:59.060{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E57B1A8D56609A2558A779BB9B8E7B,SHA256=1B135BB0E9E1CFA1CE2E3BAB2FE61E67D8A9F09DA0B2046AB633C273407E6147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061006Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:01:59.090{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDA3D03A13137A27BA149EC3E7DA061,SHA256=2275DA67163B6A0323362029207AECB1303A0A1BA33F2F05632D72F5EF651008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061007Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:00.106{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34237BFC554E411EFFBB9DFAFB2EFEBA,SHA256=0BA1871DE9BA76AF7DB74728A791752424607A91553D82CAB8586EAEFC250848,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032254Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:58.867{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36292-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032253Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:58.449{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35790-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032252Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:00.107{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB44EEC1841B094B12B3B957F24D41A4,SHA256=96D96D19328057DD208F6EE807ED5D770F03D17F2716F5E8E7ED02D240D8463D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032260Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:59.935{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38298-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032259Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:59.655{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37797-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032258Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:59.413{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37297-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032257Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:01:59.138{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36794-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032256Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:01.138{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E583491126E005AE1C2E1F7782D81CD,SHA256=A359BE3B74A85653D9EECAF24343C4D49A714AE4668C3A0E4AF350A3394352F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061008Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:01.121{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E40EDACD258C16A5D1C1C21F1C11DB,SHA256=FD884CA08ACB99AC0B59744DF210C007F5616499A63247BF7EEEFCC6A36781CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032255Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:01.060{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EADEC96F0346B726982BD6934F5B45,SHA256=AFF44FD6EA7B28EA85B7E1CDA0A6DA4A9CF88E354F279F74F48DF88812532DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032263Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:00.860{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032262Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:00.757{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38799-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032261Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:02.154{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D7D9086A734A1C64B15553B00CD84E,SHA256=A4E9A91B37FF0238A688BF39AAD352786FAB759A96E25E408546BC03A35A8597,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061010Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:00.210{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061009Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:02.137{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C17706B565B1B6ECA2F69A2E49A6D9,SHA256=C476088CC6331163C0A7CCD32836B771045D326997E0A0030ADA72D22190D17F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032266Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:01.854{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39300-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032265Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:03.232{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C003FEE06C2F35970A7414039B87CE3,SHA256=CFF1C996C804476F7CFE9D0D002D34D15A3552B681DA95B40AEE403617BB1A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061011Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:03.153{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCA6B37BE9C8C2375C4D5901B686590,SHA256=53FAB4EC6AC7B54EE80B9D36473553989F9220E75800E5111D436518517BACC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032264Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:03.013{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5D7C0F39D65031978C7F82B4748392,SHA256=99E5C848ACE20201D8119662A1A40EAE4C827C241E2C57A56022145867CD0B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061012Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:04.153{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546D26B0219A20357B376CEECDAD0629,SHA256=DBE7FBC1BC92119872E42FB261FAE55549D3E2D05FF1FA3A9B9DBA7EF93BE7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032269Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:04.732{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E992C9DD3D5FA2A7072A2E3C8DFBBDB8,SHA256=ACC226FB9A91076A571666829976E1797A23EAB0D8608DAFB83F3F0C3E24F3AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032268Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:02.983{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39801-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032267Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:04.247{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B31D45BC4D39406764AE9DCDE50C89,SHA256=C7A547F31FB9F104AD23AD2D6D9F4B9CAAE3A8A143772215FB0CBE8EF149E1AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032271Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:03.569{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40302-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032270Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:05.372{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B7E89E82235F9AAF4E7C4FF41ADCF4,SHA256=ADAFDB40F422A1511317A2D95859D8645FC826B428199F34E9E209311DA316BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061013Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:05.168{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ADF9A112B8349E484B78607A4CE46B,SHA256=0EF3F9DC65111268CCA78E3F92A5AEE06415F0751E831CF6EA60A78D78633290,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032275Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:04.904{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41304-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032274Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:04.124{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40803-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032273Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:06.435{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D213A5102AD92C2AF11985AC624664,SHA256=23A26AAD630DBF658B1C0F25D6CC77842137516EA1CCF5B19A55DA3C1573B060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061014Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:06.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CE698E374EE3A971F6A22DCAFD468B,SHA256=70206E20E03B58F7ACD45122160E3D70862E7409A8E90CC59745455F074B5291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032272Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:06.310{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B37F6A5D5256E806A1567719CC95BED8,SHA256=F7C2F15DCFCA4A724FBD583280250F4A0F6186D21318AB9E4425126469926E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032280Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:06.251{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42306-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032279Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:05.922{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032278Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:05.531{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41805-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032277Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:07.466{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C990E973123ACC4EDF76F80F722189F,SHA256=586078BF8DFE800DA30E0BA9B7ED6FE7EB2583FF77197B0281FD98D631F51672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061015Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:07.199{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BE7444FCF696C13807CE57531A87D6,SHA256=2EC40126007C2CE55F40D4E53ECDBDA0C27FCA867D0850A6AC5FA2C6F1443A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032276Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:07.341{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=622EB4B4972F39F21C509ED9BC221273,SHA256=E276D316ED772B316FE349FB593D5ADFD4DE7EBAC5BCB2BDB7A0948743FB9CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032285Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:07.126{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43809-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032284Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:06.914{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43308-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032283Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:06.624{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42807-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032282Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:08.747{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C3E72784D8F4F7C5A3FFA3FDEA8A32,SHA256=984157D07E5789B9558432EE54F2BE2411BB6AA184B1EBE79BF3E3BF06D1F108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032281Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:08.529{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7573289430EE676BE3669F0C0B7F1B4A,SHA256=B1D3E1428779AFBDD199F6F14B7F03D17DB201022716F0CD259B749B014C7F56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061017Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:06.178{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061016Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:08.215{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC733394AC1D36256DBEF640AC6EB813,SHA256=BB17B053140EF5AAF75C549A73FC41CB9AD168E7EC82FE1D5E2CEA0E0B0F3D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061018Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:09.262{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197E5E813FE4151D5BD8BDB174902915,SHA256=3208E4F108A41121F46D5F69FEB1C59313AE645DC43CE59B1405731563D6FDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032288Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:08.275{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44811-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032287Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:07.865{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44310-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032286Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:09.607{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B1FC95A07CF8D660DDB2689605C776,SHA256=4A8BF60F2E7EC6D30794CE05D496CBF62398AD6D78BD3795237208B5D5910405,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032293Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:09.172{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46313-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032292Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:08.896{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45813-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032291Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:08.585{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45311-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032290Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:10.622{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F483EF94704C929393B14C123F445520,SHA256=3DD121617604E7F097F090512D7A6F9047A74844FF36502445614E7184C38A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061019Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:10.309{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4518BC5DF037A92CB4146637F7005C6,SHA256=50B604B59990DDD5AAE2330F56031507A29C6050084F081D51258F156B659F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032289Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:10.091{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A2EEEB23F0DD388F78597F1E8DA2C3,SHA256=C5F7493BCDE3361D284C70F651CEE369963E9703BF8371C9532F86186533B384,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032309Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:09.825{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46815-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032308Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.747{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300CA9AB0183C2AE9EB71444054DB673,SHA256=7F2FF0F136E6C7B548E40AE480F9248D1F88E27DF02DA8D1CC2B73E8DCC7F948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061020Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:11.324{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF3262E72FFE86E4509AADBF2E7D6DD,SHA256=C3886CEAC9D7435981AE6B5FAA6995EBCCBECCF4DE0220A8ADB574A725D2CB71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032307Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D23-6092-0205-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032306Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032305Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032304Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032303Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032302Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032301Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032300Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032299Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032298Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032297Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6D23-6092-0205-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032296Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.591{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D23-6092-0205-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032295Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.592{04D9AEC0-6D23-6092-0205-00000000BC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032294Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.388{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4AC470DE0DB05E6CCBC23398E68643C,SHA256=74030BECD7748B3513A85A10D6669837E9DD42FBC5C9BBD1DC4A8E420E05C2D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032340Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:11.138{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47317-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032339Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:10.954{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032338Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D24-6092-0405-00000000BC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032337Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032336Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032335Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032334Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032333Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032332Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032331Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032330Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032329Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032328Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6D24-6092-0405-00000000BC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032327Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D24-6092-0405-00000000BC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032326Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.935{04D9AEC0-6D24-6092-0405-00000000BC01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032325Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.810{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BD2A5C41B5BC45BDF0BA19B4441922,SHA256=07EB9115FEEB6BA5120DA8C9DA8E3FD12FF826DCBE41CA718AA4020F5064D559,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061022Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:11.194{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061021Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:12.387{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECD6944A67481FBAE317EC57D80FF5B,SHA256=B01428B7081942A2BDC253FF0B60E6A1CAE5C489C560045E09D7CB69E6BA57C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032324Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.607{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=596BB8B49C80139212686502623DC6CD,SHA256=ACD3ABFE44C7FAEA4CCF29739F808993A12465A4B20D83B5C13F7E51A1AEA269,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032323Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.404{04D9AEC0-6D24-6092-0305-00000000BC01}31163008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032322Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D24-6092-0305-00000000BC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032321Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032320Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032319Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032318Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032317Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032316Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032315Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032314Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032313Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032312Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6D24-6092-0305-00000000BC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032311Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.263{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D24-6092-0305-00000000BC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032310Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.264{04D9AEC0-6D24-6092-0305-00000000BC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032355Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.982{04D9AEC0-6D25-6092-0505-00000000BC01}1928184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032354Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D25-6092-0505-00000000BC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032353Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032352Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032351Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032350Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032349Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032348Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032347Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032346Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032345Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032344Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-4952-6092-0500-00000000BC01}648664C:\Windows\system32\csrss.exe{04D9AEC0-6D25-6092-0505-00000000BC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032343Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.841{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D25-6092-0505-00000000BC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032342Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.842{04D9AEC0-6D25-6092-0505-00000000BC01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032341Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.825{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DE528FF993D55B31673B01A88B152A,SHA256=D9FEAACA26550D27D6DA278CB8A0345D75EF991D8B2FA5C6BC49B16494F3596A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061026Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:13.715{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061025Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:13.715{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061024Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:13.715{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-471A-6092-1500-00000000BA01}1536C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061023Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:13.402{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308AEB4F0329DB59D5EBB28A97F557FF,SHA256=A9DCEEDF0922957F41BB48B19BB4BAD28479D3CF86820EFC05C12B1134ED1539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032358Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:14.825{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788B3367E45D6F1348D7AE2F3353F44E,SHA256=E7679EBAAA21D16F09664732CEEFB6EEE362AA0105F07F64E6FC09368B47B63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061027Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:14.418{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B300944C4B0DF49058D2384178C185,SHA256=57B858BBB0860CB352CEFC448A760A0275B3A053C852BB345031309C34807B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032357Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.032{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47819-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032356Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:14.013{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB641891A976B012B28227F846D154E,SHA256=D47E95C0199AF3D782C4C6C95D4ABBDF35131A858BFC899800BD428827F3E60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.935{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2365E43EEC002D0D626131ED000A6,SHA256=626380376E2AF4EEAC7C147BAA91611694B9D15561C4C4C65AC843DE01CC85D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061029Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:14.199{B13AE1A5-471A-6092-0F00-00000000BA01}1140C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse51.161.104.168ip168.ip-51-161-104.net63933-false10.0.1.14win-dc-763.attackrange.local3389ms-wbt-server 23542300x800000000000000061028Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:15.434{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B03323239C89401731E4F0EEDDABAF,SHA256=1616AACFB3C85FD3BD74B119A9615346AF97DEECF2DE868567A218AAC08E4D65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D27-6092-0705-00000000BC01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032380Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-4952-6092-0500-00000000BC01}648764C:\Windows\system32\csrss.exe{04D9AEC0-6D27-6092-0705-00000000BC01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032379Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.794{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D27-6092-0705-00000000BC01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032378Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.795{04D9AEC0-6D27-6092-0705-00000000BC01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032377Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.505{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49321-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032376Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.025{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48820-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032375Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:12.610{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48319-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000032374Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.263{04D9AEC0-6D27-6092-0605-00000000BC01}8882640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032373Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.185{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD65EDD758318A60C7E1AFBDCDE8C21F,SHA256=8320DD1C3B0145BB685D02E537C7BEA635ED067596647F31780850EBD4D1C969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032372Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D27-6092-0605-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032371Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032370Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032369Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032368Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032367Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032366Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032365Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032364Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032363Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032362Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6D27-6092-0605-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032361Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.122{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D27-6092-0605-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032360Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.123{04D9AEC0-6D27-6092-0605-00000000BC01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032359Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.044{04D9AEC0-49B7-6092-9900-00000000BC01}492NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.950{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D970B24D2AB7B017DFCECAE6483108E9,SHA256=75803D6ACD4FC0B3FDE6EDAE286CEBFAB7D3786CE478915E50487C3DA03A9F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061030Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:16.465{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2D45510EC50DA98E705B184FB07CA1,SHA256=1DCE1B0DB587D94425400CB9CE578EE6C597638B02671B92E9414ADD22939251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.591{04D9AEC0-6D28-6092-0805-00000000BC01}40442476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-49B7-6092-9D00-00000000BC01}39363776C:\Windows\system32\conhost.exe{04D9AEC0-6D28-6092-0805-00000000BC01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4953-6092-0C00-00000000BC01}960644C:\Windows\system32\svchost.exe{04D9AEC0-4954-6092-1B00-00000000BC01}2092C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-4952-6092-0500-00000000BC01}6481084C:\Windows\system32\csrss.exe{04D9AEC0-6D28-6092-0805-00000000BC01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.466{04D9AEC0-49B7-6092-9900-00000000BC01}4924056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{04D9AEC0-6D28-6092-0805-00000000BC01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.467{04D9AEC0-6D28-6092-0805-00000000BC01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{04D9AEC0-4952-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.372{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FFFD2B14DB3BE59570820AC6BE8DAD,SHA256=986CF10229FD2C15C484977FB4951DEA35A8C7B108E0345D95044BE28A589D30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:14.813{04D9AEC0-49B7-6092-9900-00000000BC01}492C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:14.574{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50831-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:14.159{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50330-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:13.848{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49830-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.966{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09128C01B4A62B8D7FB1A5E2D88D6EA,SHA256=07927E481491DA66E5D00D9782F4A125941B983CAA3F441EDA670D46045ED852,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061032Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:16.225{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061031Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:17.496{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6964AE574A9F3257C821D3A721A43D0F,SHA256=1241026EB63288041854FD96C7FBCD09941CFDCA30CE49CA3E5F9E82195E073B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.497{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04B9D7CD610F6FEA46044317CF7BC813,SHA256=D097DFC20EBA38E536C4D4D3B7E7BF70ECEB15915E8569BFC5EC64E28BEF9034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.710{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51833-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:15.186{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51332-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061033Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:18.668{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19725283911AAC698D44D21AD63477E,SHA256=16D654A2DE3A82714E9AE74E9F766AE3FC0214D789F6B88C51CFC21A551D5405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:18.591{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7233402C499DE34286DE3E9FE70E1562,SHA256=D18E20966C040A2355647484E1531EE46835B033CD732B0A0A97EDDEDD110E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.969{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.600{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53336-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.322{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52835-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:16.049{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52334-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061034Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:19.699{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E2EEDEECE01080B2BC3F91461CC739,SHA256=EAE980DAEE595E5515659D094FBD841825FA727E903E7280E4677F9B75829650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:19.685{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1A031A7F48E1974242E5B791B8C9488,SHA256=EBA07AFC356E179792F74CD6F91760E99917AD8B97A9A3FAD665000A1A5A0CA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.978{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55841-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.707{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55340-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.431{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54839-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.223{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54338-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:17.016{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53837-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:18.997{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011C1365047FA911A9A4CC2DF43858E7,SHA256=8B8CE3D16516C8192F25DEDA5332F542BE4B863A92BD958424D70E1909BF9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061037Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:20.871{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B618D236BD1E39D590620FA804B24C63,SHA256=E903516808CD34EB062A4A7452B79D907F8241BEB5C55C8C0C082EA6EC30F629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061036Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:20.871{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B122B62E2DD1E4AA0996304147F59AD,SHA256=A5CDD2F7642D6BDF30842435F21750652058BD60837A066A220E486DFB17028F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061035Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:20.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E2E3FBAEB89BEC01AB593E847D341E,SHA256=06A253EC1E50A5719ADC8386059705F1730F4BD18E98ED0AC1A23400FF3C63EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:20.700{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA5D828C141044A46D8D8D3514BAA21D,SHA256=270DA8A4406ABA984649D52677BF330BFC8D0291D0E53A96D2CD399ECF8578A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:18.943{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57344-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:18.637{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56843-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:18.327{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56342-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:20.028{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98A7D638C9FAA0A12D2A90264160B62,SHA256=C354E1318594F28BB58C6270732006669241F1666A5D66D8FC1FA54D572EC09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061038Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:21.809{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743CC6E598720BAE66FFEB443DFD6B84,SHA256=FF4DE77944BA2755103C46A1956F392155D70A886CF744AFECE0FDA6524D1AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:21.888{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C2D0B860A724000BA75AF1E331C38A,SHA256=4703540DB34B630969148A091AF35AD66B632C78321401CA2359C29000C79A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:19.733{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58847-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:19.458{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58346-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:19.211{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57845-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:21.044{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EEE13A10BC020AEA9F0A62ACFD18D7,SHA256=152872BAE0EF98810F5A6428592E1D00C6AC8A995B37A6112A24C614023457D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061039Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:22.856{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD850DEF12AEE4A0A4DCE01B9C2A1832,SHA256=2D5120B8CA647D0B82360DFD26D26A58E56E0A0A20E9501BE963D8E183CFC4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:22.966{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBDB6FECF632189CD0F1DA945CE8BCEF,SHA256=1B1E6E6899F54743631E4F6ACFFC243D60E058A1DE0887B03FD173C20556637E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:20.912{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2375-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:20.668{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1874-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:20.428{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1373-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:20.185{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59848-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:19.980{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59349-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:22.138{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D6B2EE7FAA89BDF002340CB67A9DE9,SHA256=E4CFAFD2AF4EA0E1D939BA787852A9C7778F0DAC9F4E9F35BBA6C4F680451D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061041Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:23.902{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F921DD517C2212AACF2B71B5F54F8E8,SHA256=038D405E662055246ACF11E1C9725BB08EF0194F0DCF7BAC708DC77CD0C0E70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:21.672{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3377-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:21.361{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2876-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:23.153{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E4F49242A1A57D8023EDA38F8E8CDC,SHA256=B900D1B2EBDCBB7C5181BD9B278822A6E11709639C71A4591005A83173FB34B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061040Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:22.038{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061042Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:24.949{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD59478D9EE3B8E0C55C28BE1954091A,SHA256=7F7E9EBCDF2C380570B9816FDC876E53B049CABBC9CD1ACCD091CBEFD539D9F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:23.188{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5884-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:22.879{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5383-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:22.534{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4881-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:22.252{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4380-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:22.000{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51681-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:21.978{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3879-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:24.200{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CA9DB692ADF0D07531EEE71E7200FDF,SHA256=08E3374859C630E3BD3F66A23BC3AC8566CA62EC1F46B855523129A8F5BC32C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:24.153{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6553EAF3AA9CD431324DCFECCFD09B,SHA256=A08AB465649168DC7687AAED2B00532E47A618CA6B88BB9CE5D8FA9D440A5009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061044Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:25.965{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80B958EAFB70CB72EFBFF75C9A4939E,SHA256=8F1EEF8B9CD902B7B1EE7DF34A0367FA8E8B985150D053A086E7CB1BEED14268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061043Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:25.293{B13AE1A5-6B56-6092-0809-00000000BA01}2776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B8F6AC487C3EB4807C8A821C96510890,SHA256=9F3A6FB50EDAC3D6FBA4BBCF256B406175851EA85B2B92F295AF30C7AC635F82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:23.465{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6386-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 13241300x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008c3659) 13241300x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418d-0x5da93121) 13241300x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74195-0xbf6d9921) 13241300x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419e-0x21320121) 13241300x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008c3659) 13241300x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7418d-0x5da93121) 13241300x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74195-0xbf6d9921) 13241300x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-05-05 10:02:25.405{04D9AEC0-4952-6092-0B00-00000000BC01}864C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7419e-0x21320121) 23542300x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:25.280{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844C9DF685082DC806B8B35EFA0D5CC0,SHA256=23EF08973F060CE73FDD8B7334768560C8FC642CD734E427AA196043CC41AB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:25.264{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9008E5E0B6A7E3D37D745E30B5818753,SHA256=60DD93827A971AD47DDB5624E8CCBEB812E554313D2D1F549A70F2C00E13677E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:25.091{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9894-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:24.860{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9393-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:24.646{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8891-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:24.417{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8390-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:24.183{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7889-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:23.947{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7388-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:23.733{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6887-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:26.342{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB7EBF23678A1E09E215A3A45F54267,SHA256=0EF74EF3749464066FF72577CCDD40B2CE8BB55E4331582FC8D80F6EDD5B954D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:26.296{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAFCBFF8C1E530A49F7A161C8929705,SHA256=9147E542BA2DD2F813EA4E099BBAF84A2A7783B7A5AD687C1CDB6F8DBA99EE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061047Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:25.241{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000061046Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:26.949{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B737B38A90A3FF2D67D586C17E21C18,SHA256=61A90C9D6C4D126734DC9F6A08E04C944279082254030B9E40534E70924B47DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061045Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:26.949{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B618D236BD1E39D590620FA804B24C63,SHA256=E903516808CD34EB062A4A7452B79D907F8241BEB5C55C8C0C082EA6EC30F629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:26.124{04D9AEC0-4953-6092-1000-00000000BC01}1068NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D30826A2AD6EA333062415F0F2F0AE5E,SHA256=606DD7C60A51A41BA96155A64E292457F2B7205C3CACA83B414E6BA98E394CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:25.793{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10395-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:27.702{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C68F049C891365BFBD2B71068D809D27,SHA256=EEA79F909EE530B10716D1A78444CBEE64A66856A0E5C5AEB3178FEAAD7EE90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:27.311{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80F28DD26A086D92AA3F89F3BD849B5,SHA256=B5ACF4255082589B8FA1E0ABE4379D325BF37D67716569C464F54B5C14F6FC96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061050Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:25.881{B13AE1A5-4718-6092-0B00-00000000BA01}860C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54182-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 354300x800000000000000061049Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:25.881{B13AE1A5-472A-6092-2800-00000000BA01}2588C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-763.attackrange.local54182-true0:0:0:0:0:0:0:1win-dc-763.attackrange.local389ldap 23542300x800000000000000061048Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:27.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36041B1497C23B74EBF5251374074B5B,SHA256=77E501A28434C545B507199AC2C0C9381798909D9FCAA00A50ACE8F77F6025D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:27.201{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11397-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:26.791{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10896-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:28.342{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52286639194A29C97A784554C596D3E,SHA256=4C60858438A2B845A95E81A64F370E805A2A28173F8B87163FEAE802CA4C96D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061051Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:28.152{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BED8B33CA9AAB923DE943A585EE5D7,SHA256=16CF4123BEA1A395943490C0769B6B5EA6E72044625E3BE7A1F28BD6DE364FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061052Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:29.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD687B507A3739EF4A5CB3AB6198CEC,SHA256=AD4754ADE22979A50B7D339223BA1E23CEB23E81E68F1691FAD9FA932C136535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:29.733{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C35B673F44CE382312FAF5850DFE1136,SHA256=235943090370BC91DC9C9FFC0928681686AD4912EE038F506D2EE2E386F70037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:29.358{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABDD989F2FD8192E7F590DE2BA20203,SHA256=BD51D17DAE60346D81002999BF3D39A3F498B71FD8FB924D7379251CCECBD475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061054Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:30.199{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AD9BDAE75E4ECF82D9B00B03A0699F,SHA256=85553F1C9EBAEDD202D3C68CE05239305E256FD16BF411683D5E513EFA6F8D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:30.764{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8A51585674CB18F97196FA56FF16EE,SHA256=2748EF6C5F3DD96F19F1BF3F202BA90F792B8142A828C18D99E94CB26FFCF2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:30.389{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C082D6215C39226DBF8EF0D56D73C5DB,SHA256=6427760B790B0BDCD24812A75EF8FA45FFF5E31F8D19870BD5FBC7798373EC00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061053Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:27.100{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:28.016{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:27.923{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12900-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:27.751{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-12399-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:27.508{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11898-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061055Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:31.293{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E14A6CBC0A8ED599A3A5655CA1573D,SHA256=4975C34D88BA1F174320D01071C7B1D875D0D6C7191643C1110CBF2A26DF008B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:31.405{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D8CE7849D0DD16120B8868569B0752,SHA256=5946746208D57EDC4BE7A13B6E4F97EA0BD7E212A9E0785112B113EC8C63BA55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:28.611{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13401-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:32.686{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=792A882D9A5C6B4ECAD6BEB40347A107,SHA256=84D044695D9B2F7563582DB3C703A6BB34DE748E71C0290901C9A8424EB97FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:32.420{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EABC4979888EDE09C832FEE933B79AE,SHA256=0DD5844B7D180AFCB13328EA01BD9A367A7B4DD604633C788F0DB1C326949985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061056Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:32.324{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA76F16EC9220F917681813B70496482,SHA256=4846D9D614D53A724C7C32E4A7881C822CDC1CFD65B49693BC55C6B763F5BE22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:30.703{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14403-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:30.257{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-13902-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:33.452{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE87E98586C0E86EE1BA0D249DDC1B3,SHA256=4C5FBD907C989847148ED4B2D401C7FBA959B1F286FFF452A873EA62CCE8A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061057Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:33.356{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6C5712F864002A5E74712F445904E1,SHA256=7BFECFCC0DED57B1B5D541D7F8EB9C9248F628F224850225E436DADDEB6B8C54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:31.598{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16410-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:31.218{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15905-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:31.012{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-15405-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:30.840{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-14904-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:34.498{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7CAA43DFB1EB82A0B46D858483F44C,SHA256=4F565AD993B6DAE35C56DD87D2BB8C309278C4E92F19ADFE43FF9E5FA100EDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061059Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:34.387{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D745A41D507EFA395EAB84926990B75,SHA256=B1D1A3A99CAE39DEF2547079098708B7EABEE134A9AA9ED4E3D721414EAAA867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:34.108{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB95B4D404D10636E0A13FF00B83C20,SHA256=F0A71A72B61447A96D18BC574891E8C840B454C181BFED1CA48315065646A1F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061058Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:32.131{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:35.530{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5562C26651409DB4A28049D6AD10A694,SHA256=D9C4969243A28812914441AB12384ED771278D0B408FD1D5C818BFED3EFEB08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061060Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:35.465{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F447B7907B9410FC3639DA6BA90E3F2D,SHA256=CD0093AFD4C0D3739EBADFFDBD67D495B2051D1F6EE89EBE56A29B144C87CD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:35.327{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4974BD663220A108526F3FBFD23978D1,SHA256=1D6E042E199EFBE70DBBEB66EBD6BE68422157501AC832C52D9287CA1893DA0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:33.828{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:33.667{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18916-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:33.428{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-18415-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:33.121{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17914-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:32.638{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-17412-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:32.046{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-16911-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:36.545{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496A0B926921296EB5D33A3E7D3441F3,SHA256=678519B2EC9A060D603FC636CB35F2A5BA2B875E30B5E7AEECE601BECF5CB52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061061Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:36.481{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB901987514D29D93B0CE27FF7443C69,SHA256=4F4EF685DBB1EBD067761D5ACB3987BCB46CEFF20AFC442545B7BCB22BE69E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:36.373{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E581740D57127B652F94E74CC8C484,SHA256=DD0DB8A0C3E3AA3F3655F753238962E16A01DB836D73AC0E3720311498D2053B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:34.631{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19918-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:34.136{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-19417-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061062Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:37.512{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9303612AC6B0A2E2DED0D5AC78CA395D,SHA256=C3629D2A9D46992FBC24D5E438DD7C0CC80FCA3CCC00D179A520CD1366064921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:37.577{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6AA440D2C14653FE43B5733911BDF55,SHA256=3B125A3AE7765DF80AD3F2DA1D365BF9DDEF5C664A3EAE749FC60B3BC0879A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:37.577{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C288E34E283245535F0DDD89B6BEAF13,SHA256=557316A4ADF3B413C1FCC6472F77BE39BAB09E376551F496D3AD01B640C51EC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:35.866{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:35.526{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:35.149{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-20419-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:34.770{04D9AEC0-4950-6092-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-273.attackrange.local138netbios-dgm 354300x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:34.770{04D9AEC0-4950-6092-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-273.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:38.639{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28DB72499EFE7EA2CD6ADECCF9996F47,SHA256=1366C33E383A28DC80FDC43248664A7823E4C31D7DDC0F71D90E12AC5B76A3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:38.592{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4B631EF556ADD0E99D89DAF003008D,SHA256=CF18C90552F3C4A7E247899B8ECC7DE13947501DBFA27AE522E3DDE0854234C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061063Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:38.621{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844FEA062AEDD7B0A671E4206B6FAC21,SHA256=9A42E22BC3B426DB383D69A17C559C59F2C4E01C375AA0015968992F491E584B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:36.728{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:36.244{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-21920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:39.811{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C18F0CE0D3CA2755D3AF3AC57FA9EA4,SHA256=0E93453E386086251B2BE15F46C08B4C8FCE8DABB1B3A75C2A5F80B9B5D3D05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:39.608{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BB00E583DE879E2CD77786BDDEEEC,SHA256=B5348BA9EFDA79A96167F682A3C8415BCA32C990D87F9068CEDEF6059095461B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061076Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6D3F-6092-7B09-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061075Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D3F-6092-7B09-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061074Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.997{B13AE1A5-6D3F-6092-7B09-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061073Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.637{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBA95EF479C8D09788196183C4FD36F,SHA256=DB9F58D5A32AC4C00DE70B43ECEF38C360793E747BDFF0BF684D0A95DEA08431,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:37.901{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:37.614{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-23420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:37.239{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-22920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x800000000000000061072Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D3F-6092-7A09-00000000BA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061071Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061070Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061069Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061068Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061067Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6D3F-6092-7A09-00000000BA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061066Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.105{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D3F-6092-7A09-00000000BA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061065Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.106{B13AE1A5-6D3F-6092-7A09-00000000BA01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000061064Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:37.194{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:40.967{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB3E77A283A9D8B59D2CBFCCC7F806C,SHA256=8D35519264B3359E32A84F83167B2862041D954785188282499CA848DD7188C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:40.686{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E01375E540C25168F8D91AFADFD70A,SHA256=B74CEAE0DE1A19C06FBAB89BD235C9681D45D72769A367770722CB24909EC5D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061093Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D40-6092-7C09-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061092Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061091Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061090Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061089Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061088Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6D40-6092-7C09-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061087Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.668{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D40-6092-7C09-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061086Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.669{B13AE1A5-6D40-6092-7C09-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061085Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.652{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F43591CF1BB8F3697F9A02F6851CD00,SHA256=0EEFDD9284476D35E23B8623B1C547FAEE7590F63A1ED3AE4C5105AE1062DAF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:38.919{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:38.875{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:38.579{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:38.268{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-24420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061084Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E5E7F162D45E58E4F7B61C19883370,SHA256=ADEE88BA8905865D8C1A46A2B8EE6DAFD1C5C407D5AF3E5A6D62411983C61D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061083Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B737B38A90A3FF2D67D586C17E21C18,SHA256=61A90C9D6C4D126734DC9F6A08E04C944279082254030B9E40534E70924B47DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061082Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:40.137{B13AE1A5-6D3F-6092-7B09-00000000BA01}79844192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061081Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D3F-6092-7B09-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061080Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061079Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061078Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061077Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:39.996{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:41.905{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FDF48BAA0A9DAD4DE4AD6D26EC9848,SHA256=EB6214FAD08E57BAC12BB255DD21D1C75D085C597AAA502EF91B53CFCF4CA001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061104Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.902{B13AE1A5-6D41-6092-7D09-00000000BA01}76047308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061103Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D41-6092-7D09-00000000BA01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061102Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061101Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061100Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061099Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061098Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-4717-6092-0500-00000000BA01}644760C:\Windows\system32\csrss.exe{B13AE1A5-6D41-6092-7D09-00000000BA01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061097Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.762{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D41-6092-7D09-00000000BA01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061096Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.763{B13AE1A5-6D41-6092-7D09-00000000BA01}7604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061095Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.684{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E5E7F162D45E58E4F7B61C19883370,SHA256=ADEE88BA8905865D8C1A46A2B8EE6DAFD1C5C407D5AF3E5A6D62411983C61D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061094Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:41.668{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDFAF2C3A3B6F37068FA81471750F78,SHA256=7E070C377C0328ACB9740F6BFE03D3FF3DB811D7D087EF0F948DA90EC9D29858,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:39.914{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:39.574{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-26420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:39.333{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-25920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061115Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.809{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04976F09CA573C77C4928A036048940B,SHA256=24466B038D6CFB606DD1CAB25CC62000BFC4C2C13857026F34D7F93A861AB29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061114Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.684{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CAAE9D1462C00562B33E27D51A9527,SHA256=033CCFBC1EDAA05DAF9DB8CDE25D4BC4350F0259C3DBF05D596BE94AB7BE1423,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:40.707{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:40.261{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-27420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:41.998{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66502E1004DCDD7AA086C76124F457F2,SHA256=CD4A41AC7B5BF43066ADD477DFF96A5587658FB2BEB7650A196DB75041634250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061113Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.637{B13AE1A5-6D42-6092-7E09-00000000BA01}9965480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061112Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D42-6092-7E09-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061111Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061110Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061109Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061108Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061107Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-4717-6092-0500-00000000BA01}6441192C:\Windows\system32\csrss.exe{B13AE1A5-6D42-6092-7E09-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061106Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.496{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D42-6092-7E09-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061105Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:42.497{B13AE1A5-6D42-6092-7E09-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061125Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.699{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497B60AD3DEF5ED3E04CB24C670C3F44,SHA256=8304854C145E29F5325AFB686ED10CD894590E166E27166D3679B9BB71F01CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:41.809{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:41.525{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:41.190{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-28420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:43.248{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72AE24A4FEAEDDC7192054EF8AC2CDE3,SHA256=250B40E93FEA1EF8C7BBD40AC3ACE4A0F65D89CBA5A34CD9AA1354FFE12E4C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:43.092{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489F8E705461E480F564FE54587EAF5,SHA256=A0A7C03E33B1644505ECBBC9CBCDD39535DCD4787F8AAA9E48FAE293A466E12D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061124Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.184{B13AE1A5-6D43-6092-7F09-00000000BA01}41445888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061123Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D43-6092-7F09-00000000BA01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061122Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061121Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061120Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061119Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061118Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6D43-6092-7F09-00000000BA01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061117Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.027{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D43-6092-7F09-00000000BA01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061116Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.029{B13AE1A5-6D43-6092-7F09-00000000BA01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061135Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.715{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40311FFD60EA077C6791670775D64C8A,SHA256=9821E3BA63EB47D7C121ABF2E6134C1BB7F921B5E97EA48227B69972E65B905F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:42.640{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:42.433{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-30420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:42.159{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-29920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:44.514{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA1D68F3BF7CA3286289A20A6086628,SHA256=9CF8F04523059C19FC35B86CDFC18B262D846374AA7DBADBDE90F2CEF7AA48E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:44.139{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ECEF1A1E820E9E7441A6C497FEAD2B,SHA256=3CACA31FAD29B71715B7EA38F3117280A655FE7B11D451C5500A9FEED6A65B43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061134Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-6B56-6092-0C09-00000000BA01}58088168C:\Windows\system32\conhost.exe{B13AE1A5-6D44-6092-8009-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061133Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061132Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061131Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061130Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-4719-6092-0C00-00000000BA01}6085352C:\Windows\system32\svchost.exe{B13AE1A5-67F0-6092-6008-00000000BA01}1784C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061129Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-4717-6092-0500-00000000BA01}644660C:\Windows\system32\csrss.exe{B13AE1A5-6D44-6092-8009-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061128Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.371{B13AE1A5-6B56-6092-0809-00000000BA01}27765784C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B13AE1A5-6D44-6092-8009-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061127Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.372{B13AE1A5-6D44-6092-8009-00000000BA01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B13AE1A5-4718-6092-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B13AE1A5-6B56-6092-0809-00000000BA01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061126Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:44.074{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8450C8A84C11C4BBF3D90B35F6EB743E,SHA256=744ADB2879A3F20AE879B2523736E9B229235F4D2AA6345B66082951482AD086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061138Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:45.715{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD94EFB18876C00E1973ADD6010112B,SHA256=B37FFEBBDA2A528770BF8D6A7A9B4156374E2AFFBB9DA3542CC5C1B432A892F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:45.670{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B05194379ABC55745E26911D5C3C5D,SHA256=F7B30E912AE804795450DB4BFA59B4CC3E52580A46333DC03C806938015C4F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:44.049{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:43.922{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:43.739{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:43.452{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-32420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:43.187{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:42.912{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-31420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:45.155{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3404F75C59AFB3D0C07A5F6C50E867B,SHA256=D2AC4F8E76ED46B8CD374DB6581D3D8F9E0D4A5F03576A0271DB11604D891EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061137Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:45.402{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4ED09D7642DAF3040203CA17CCBC63,SHA256=2831ED3A22DC46ED46AD03679C903B27638320C76E025659DFAC927048924350,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061136Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:43.225{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061139Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:46.731{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7345A347E715F3266CB477A666244D,SHA256=8190C6E24F305CD0E09ACFAC85C5E51FC755B5FBBCA92189E1C34EEA3AEE4BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:46.717{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4E3E20E49D721F7EEBD8B47DA03AA8,SHA256=165026EE869EEC737B21C3F19EB1C0908197C92B2E24A8C43010480630EBDD55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:45.102{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:44.800{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:44.564{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-34420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:44.321{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-33920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:46.264{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91640941A90482F25AC1EC0F2234B890,SHA256=FF80F7BA21612F11A0BA52494FFBA3DD4F85B1F8173748D2879B0B4FA1F1F776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061140Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:47.746{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321E0D51A1D673E07EDBD62C4276F94C,SHA256=E0A0541541B7F87D285321748695E086DAE3FE795F24110F3F507A09BCE34329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:47.842{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC239C4514898903055235DE75BF12DE,SHA256=8008F53EA366BFEA8A30DFD579ABBFE7EEC6AFE78C7A5A7D8F19F7557A504054,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:46.206{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:46.000{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-37420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:45.793{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36919-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:45.552{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-36420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:45.312{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-35920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:47.279{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566870A92A74D7F705054F7E9AF24E04,SHA256=FEAB700A88886C09C7345BED17BCCD228166A9CBA4470E2AE58558F869E5B851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061141Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:48.746{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59980E292BB65C182F9EC46A352E386A,SHA256=A5F7641EC8F20413BA70FEA557AA1743EF04B766EA9706A3057EA87A483EDEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:48.873{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EC53D1383E666DF18FAF2688439B6B1,SHA256=A49B520240F2F68E7C3DEE011DD0879997EAC893C5205A2841ABCB18FF60B5C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:47.098{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:46.758{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:46.513{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-38420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:48.358{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3897929F13D8338281ED4AF3C20613,SHA256=436A2908E321C4349C19A4CA3932F82E243A5147940AA0AC3B03BC84FAAC96AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061142Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:49.762{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B35DBF72910456D15CCE990921FD4C0,SHA256=D24984B595722B3B0E19936871C20D37B6DD758D3441D7EF78A7DDC112763756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:49.983{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2F00ACD22FAC54B027C668C780C194,SHA256=306FBFFBD7FBBE5A25C164FA9DACA47119A6015BAFC8FE4B8C06352CE8DA0EAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:48.134{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:47.893{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:47.649{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-40420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:47.408{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-39920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:49.404{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DABE3976729AED66462EB27A03B31E4,SHA256=5E5C32AC4FCDC26BFE8EF59F8DBA4CED0E039321B67C896214DF57CD81C6433E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061144Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:50.777{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EA4F353CFA20C4966D01E1CE921DFC,SHA256=FD90B8B02E541F2A05BBAED76CB4E6E3349EA4CE7126C9AC5B5CB35D04EF7453,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:49.297{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:49.016{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:48.984{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:48.718{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-42420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:48.434{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-41920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:50.467{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6E0F6F40993BA1CB78FDF5218E45D3,SHA256=8C6D78B3097078AC0AC5C4BC9C01D61EAD762FD4EF9A11D808FC2A79F16FB99A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061143Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:48.975{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061145Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:51.777{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409FE94F00997C7904B5E3AEEFFC5EAF,SHA256=7EA215EEB3EB870343D535F5E02F9A16143545D3FB11183FB506565C893A39F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:50.350{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:50.147{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:49.805{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-44420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:49.544{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-43920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:51.545{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52579038077063C10D90A3CA9E682876,SHA256=28F6827D3B81DE21E6A8A4DD0FC07029B903AC7F3D41B76FB0A3C7D44274E482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:51.029{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=446B5ECF01BB8F8BB511754D4C214A33,SHA256=F45ECE369B010E6AAA563D1BDA9714E3EE5EB17539E7D6632E1D28AE4E6C7B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:51.417{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47421-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:51.144{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:50.834{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-46420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:50.559{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-45920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:52.607{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F849DF763672FEC6AF5584B8A2B78B,SHA256=2E2E6219643805F45685389005AD335A7ACEC0712D966A4E10151951FDA0FDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061146Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:52.793{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC29B4E7857E643AB69718C54AA9C9F,SHA256=4313DFA4C2793B21E7F706766AAA2762480422404B1AC2B9FC64709CB5336308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:52.373{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8F0C46A15BA250FA2F06BCF4A807AA9,SHA256=C4CA99A45F2D25821D8055241794F7F02377635A960234300EF7D62483EE26DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:52.376{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48921-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:52.038{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-48421-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:51.760{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-47921-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:53.654{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8888C6A6A2BA7972BF9CCF2F9A755E,SHA256=6F1240A8734593AA3C01B8BBC609CD76610A394A294097AA6D72684C869AE687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061147Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:53.793{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D2D0899CDBC34EF05442D2284A2F50,SHA256=438482A9B38271A976E6C9DF6A26529EB1B0D76849F474AA9C5F3C09D355E73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:53.467{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1A626D9DEAFCB520B7D6AC073EDAAB,SHA256=CF1414CE4B5D908D9664D466AF71E1C5D513C29F1751E8D07B9506065FD79337,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:53.200{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49928-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:52.721{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-49421-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:54.904{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F2E5BE1F49AF94BDAA11F5839934D5,SHA256=512AA9C3169384653B460436B006CD96E196398943918770A718986D41C1161C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:54.717{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910370D29895F76525EEC5EABC370760,SHA256=524F6996420022F5A54641E10F6C71C0480DBF424F50ED91382348ABE42F78BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061148Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:54.795{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B128C5BA70BF4108BE5A795E88A3D218,SHA256=9C57D388D1E5A18A826696B97D76B04679835B1FE22541CA827CB755D70FED5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061150Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:55.811{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDD061572F3E3867C3FC0E46DD82AC0,SHA256=B0947DD37DFDA9085FE91BFD960EDE8E90269A338A345D31908C02C9116B2A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:55.732{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6BDEA0ADD5953142ECBF9760C2E3DF,SHA256=2F1795B3648B8D84EB997068A1BBFA0B931CA8A4FE5EC3359EA2F39E38F938AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061149Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:54.037{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061152Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:56.902{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E0EBCB0C8E2B31BE2EFA5AD262A55F,SHA256=A2891AF5234394902F16A172D3B164644C5F3CE0ECCEF452A37527D4B3D41919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:56.779{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DB38735D990366CA63D19AF3B99139,SHA256=A67F8C3EDE8BD6FA6C4945A412248B0E8F80E6C2F13DB0581797465F7AE4B719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061151Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:56.746{B13AE1A5-471A-6092-1000-00000000BA01}1176NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=559DEA78F0EB629E30812B1C32CD08AF,SHA256=EA8EDD346CC21E215DB8C63DA0A20E80A18D2D1B4DBCAFCCB2F6CFD2542D6489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:56.279{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF5AB73081DE3CD76119A14326C469A,SHA256=BF9082B4BA3B4EA018701672EC9482C516286FEA5C4FBA13FB316BC5CCBE0B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:54.609{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51928-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:54.370{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-51428-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:54.093{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50928-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:53.683{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-50428-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:57.795{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4C84BE018DFFB0D7918B694C8E671F,SHA256=11E5FF0C206E42F07A95DAEE9C5D9DDEEEBB7A0B7C24881C12FE57339416C973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061153Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:57.965{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0A5948F1096F0EFBB1BC642D3CE00A,SHA256=243085B680CA104CE8AA7895DC8A1FF322633593F3F5E8F27378C87CEF784EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:57.560{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98BD5A2B446B31A256ABF2AA1B8A6EBB,SHA256=A36FD6F44470F5B6103D9263C4B99AD4D0AF646F79FA256FB60D4C1C5AA86951,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:55.710{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52928-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:55.020{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-52428-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:55.015{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:58.811{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6B47357B130724D3B2A3BCD1C2ADCF,SHA256=4566D366879BDD20900658F48A32411593FA3E95CD727C84A6B995CD8157ABA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061154Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:02:58.996{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25E50DD4FD91344AAA89C0F317E5448,SHA256=330F245B3B0C5F3F0B82A252E3011F2944BA181A53582FEBAE364951B47F2A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:58.795{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F533F182C251C6CA9AF265114EA1CD8C,SHA256=D14FA22B960CBE84277A00786DC2EBC3B3497DBB24F0E655073482D7F1F79570,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:56.730{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53927-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:56.259{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-53428-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:59.826{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0060165AC97643DD18BE532B566228,SHA256=0371182DA11880F543FBD5C9565A06A6DE676A980CA9AD1FB39D913E82FE0CAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:57.707{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54925-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:57.298{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-54426-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:00.842{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD030092FA0B76FEAD9B653E0C754EE,SHA256=C6B1A44A479653C69FBF1602E8A7CE8A16EB6CEAB8141E005325D22048185F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061155Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:00.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7734EE90CBB45A4683762388B34CC304,SHA256=ADE4845926B7A14B4DCDD554FD0E1929BEB377EB0E778071838D5685940782D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:58.605{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55923-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:58.054{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-55424-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:00.139{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03E2869E48B66E77C99BCB662168AE2A,SHA256=7E2EBDD2FCCEA9E772DCFDE50B76DEE493478E6E7DC06CA88FE677109FB7A5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:01.857{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2587AF953252149BDC7EAF3F294295C0,SHA256=D2D30753801F1030C55B783EF7904EE38E0B06A96413B6AF746F287C7D3361D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061157Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:00.052{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061156Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:01.012{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE95CCE85F1A50C3F0906C56D3AB8E8,SHA256=13F03AE9F46F575E353979FC2B9A913B5367AAE4640B43A31E8110BCEC7773B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:01.342{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A352605B9F378ADE283F1C58653ADE12,SHA256=087EC3BBB18D3E729A4DA8A1B6267D31CF9ABA17833C65A2837D79999109459A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:59.292{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56422-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:02.873{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C229B10032336B072D8AAE0CC301336B,SHA256=2338811DC00A88561AF80E720F4C785731146F0D05A0EC6B5FF15489CB748A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061158Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:02.027{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280136615E2D24F6AB5B800300DE7889,SHA256=3CEA6FA00CEF9AC4E254E312D3F60A4AF138431202468BF0F4322A3B087155EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:02.389{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D99BEBE730F982BEDADE388F22D36E,SHA256=78B1C5E95132C7908BBE2DD523D36B8929BFCAF64444AF52B8B319503C89CA8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:00.491{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57917-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:00.046{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51688-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:00.012{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-57420-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:02:59.704{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-56921-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:03.904{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F85FA9BBE01FF4DD1285E7F332B3C0A,SHA256=03DE6CF221ECC297D2B9DA5F9ACBC5AB9F3024DA5686B19967BA553681B6FB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061159Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:03.059{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A8643C1C8367AE1ADA483797BB8F58,SHA256=A1155A1E5179A41A8B9B1A620FB1C2CF03944A363E7FF55020F4F2CE4D5A4FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:03.435{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9CEE07AE21A4DC226E89F0C38ABCBEA,SHA256=54F4811D4C666D8F484FA1C172B304149A25CDE9F22B5A1BCD68CD2E8F822E6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:01.870{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59412-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:01.594{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58914-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:01.106{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-58416-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:04.982{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5086447A47C7154D82CB7DC5DE8A70,SHA256=20FB9BA955B034657011375050334B07E1BBFE8F50AFD70530B42FD44658AF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061160Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:04.137{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAEC5CA4AFDD2D69C10662FD99FF514,SHA256=C073119BFC91A5FCE4719B3CC3280482A4B268E79EC84978B56FE2BA957E7088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:04.513{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E63C11E51C34F96A519A7C13DCAF6991,SHA256=C0959AD02091EC046C8BA5589D1D3F19E0D3CCBFAF6D75797A19DEE711B34D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:02.924{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2427-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:02.656{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1929-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:02.451{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-1431-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:02.204{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-59910-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061161Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:05.184{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1D463FE3E2BF91BE30ED03A5627AD4,SHA256=426B8CEE65C05BE8A98009B502FAF1DDEE5864998ECED616E481A419AE607C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:05.763{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5062CBA1738D7F77E1C662995C5B2166,SHA256=547D4A3431E2FA23816C337CC148B60BFFC4BC35379D9643D306D74B5F6D2763,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:03.863{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4417-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:03.616{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3920-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:03.379{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-3423-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:03.162{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-2925-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000061162Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:06.199{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABD0E28CA998AA3B4239DA9DBB84C0F,SHA256=4558CAC23A69035012028B0B874CCF497CD19E391CE18E2C3BC606E90D85F12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:06.888{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA3902C0EB2FB23250072C5C08DA7A1,SHA256=A64516ACFD16B497C00D7D2A347C6210C192EFF0F301A3FB73B97200A1A2BD69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:04.879{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6407-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:04.640{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5909-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:04.368{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-5412-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:04.158{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-4914-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:05.998{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856FBE74C355C722263FE79DBDBBB5B3,SHA256=9879F763C06CB406B57EB2B568902A6507B3BE64F76E56E968F791A1EB1D556F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:07.966{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F91C39A671D0E59ACB1095737301A38C,SHA256=C3B89F6370CA3F1FD21942D0F7F5E0F1B4EF74494CABF444579BC1760D06BF68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:05.890{04D9AEC0-49BF-6092-C700-00000000BC01}2660C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local51689-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:05.738{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7894-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:05.427{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-7399-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:05.086{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-6903-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:07.045{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5B75B49DB3327E976DE417C23843B8,SHA256=DBBA6CC148ABAF728A97D7E740E717087FD964F20139B2CC13A55E6C80484971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061163Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:07.230{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47539CF8E824CB1C8AEB225B5CE9B5A,SHA256=038E9B7195B239F7112B7E0C341815CBE0C2E25FED66D2AA95D32EFDEF93AE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:06.906{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9875-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:06.565{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-9381-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:06.288{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8884-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:06.047{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-8389-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:08.201{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A869C52FF2EB64D5CE1BF501D08871A4,SHA256=748D7BB6403704F2327C8552B5105F7F4007D7BDDFCDAE3F34A74D0A9E7F56C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061165Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:08.262{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B264F8F0ACDEEA8ED0E5B8C832E652,SHA256=0E042F856115A2F7146504691DA4A7EE74FF5D9D209041D6E33107FE15489495,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061164Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:06.037{B13AE1A5-6B5D-6092-3609-00000000BA01}2204C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-763.attackrange.local54190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061166Microsoft-Windows-Sysmon/Operationalwin-dc-763.attackrange.local-2021-05-05 10:03:09.293{B13AE1A5-6B63-6092-3F09-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806B19316AADC151E41B28E166721683,SHA256=63B2E222CD0A3350EC5F199D08F9F4E66FBB192BF41B545CC844380739A997F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:08.041{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11855-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:07.794{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-11360-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:07.496{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10865-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:07.185{04D9AEC0-4953-6092-0F00-00000000BC01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse5.188.206.230-10371-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:09.263{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA6B5AE0BA815CDBAA4E45742BE0BFB,SHA256=1A70B78C8150B4A12AD2B4EA02444EDFAA6622392D104E0F33E735F7472B6E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:09.091{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=246C626F1A13D1312EEDAFA6C4E1E307,SHA256=91EBF8A3B66D5B6A627618576BAF530D46EEA9E08C7468A897A4CC35DF0AB3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-05-05 10:03:10.154{04D9AEC0-49C5-6092-D000-00000000BC01}3012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=701C6C0F4CC18E9167B112C271CCF5F4,SHA256=BF3158D2CCBDC182AB5A3D6ACF4CB1E83ED5F20AC640E749337A1E388F9B18C0,IMPHASH=00000000000000000000000000000000falsetrue